NfcA-cA- H 


NASA Contractor Report 191466 


N AS A-CR-l 91466 
19940017941 


Towards the Formal Verification of the 
Requirements and Design of a Processor 
Interface Unit — HOL Listings 


David A. Fura 
The Boeing Company 
Seattle, Washington 


Phillip J. Windley 
University of Idaho 
Moscow, Idaho 

Gerald C. Cohen 
The Boeing Company 
Seattle, Washington 

NASA Contract NAS 1 - 18586 
November 1993 



NASA 

National Aeronautics and 
Space Administration 


Langley Research Center 

Hampton, Virginia 23681-0001 




Preface 


This document was generated in support of NASA contract NAS1-18586, Design and Validation of Digital 
Flight Control Systems Suitable for Fly-By-Wire Applications, Task Assignment 10. Task 10 is concerned 
with the formal specification and verification of a processor interface unit. 

This report contains the HOL listings of the formal verification of the design and partial requirements for a 
processor interface unit using the HOL theorem-proving system. The verification approach is described in 
NASA CR-4522. The processor interface unit is a single-chip subsystem within a fault-tolerant embedded 
system under development within the Boeing Defense & Space Group. It provides the opportunity to in- 
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fault-tolerant computer. 
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1 Introduction 

This technical report contains the HOL listings of the partial verification of the requirements and design 
for a commercially-developed processor interface unit (or PIU). The PIU is an interface chip performing 
memory-interface, bus-interface, and additional support services for a commercial microprocessor within a 
fault-tolerant computer system. This system, the Fault-Tolerant Embedded Processor (FTEP), is targeted 
towards applications in avionics and space requiring extremely high levels of mission reliability, extended 
maintenance-free operation, or both. 

This report contains the actual HOL listings of the PIU verification as it currently exists. For those inter- 
ested in an informal description of the PIU verification, NASA CR-4522 contains a discussion of the issues 
involved in the PIU verification, as well as an overview of the verification itself. 

Section 2 of this report contains general-purpose HOL theories and definitions that support the PIU ver- 
ification. These include arithmetic theories dealing with inequalities and associativity, and a collection of 
tactics used in the PIU proofs. 

Section 3 contains the HOL listings for the completed PIU design verification. 

Section 4 contains the HOL listings for the partial requirements verification of the P-Port. 
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2 Supporting Theories 


f 


This section contains general-purpose theories and loadable definitions used in the PIU verification. 
The file aux_defs.ml contains some useful definitions and tactics; the file absjheory.ml contains the defi- 
nitions for creating abstract theories in HOL; and the file pt_defs.ml contains some definitions used in the 
PIU verification. The files ptjacs.ml and range _induct.ml contains assumption-list-handling tactics and a 
range-induction tactic, respectively. 

The three theories assoc, cond, and ineq contain theorems involving arithmetic associativity, the HOL 
conditional operator, and arithmetic inequalities, respectively. 


% 


File: aux_defs.ml 

Author: PJWindloy (UCDavis) 

Purpose: Gives a few useful definitions. 


•% 


let new_autoload_theory thy = 
map (\name. autoload_theory ( 'definition' ,thy, name) ) 

(map fst (definitions thy) ) ; 
map ( \nama . aut oload_t heory ( ' theorem ' , thy , name ) ) 

(map fst (theorems thy)); 

()>; 

let load_parent s a 
new parent s; 
new_autoload_theory s ; ; 

let toggle_f lag s = 

set_flag(s,not (get_flag_value s) ) > ; 

% flip an equality thm % 
let SYM_RULB = 

(CONVJRULB (ONCE_DEPTH_CONV SYM_CONV) ) 

? failwith 'SYMJRULB';; 

% expand let definitions % 

% changed "ONCE_" to "P0RB_ONCE_" 28Sep92 [DAP ] % 
let KXPAND_LBT_RULK X a 
(BBTA_ROLR 

( PURE_ONCB_REWRITE_RULB [LET_DBF] x) ) > > 

let BXPAND_LBT_TAC a 

ONCB_REWRITE_TAC [LET_DKF] 

THEN BETA_TAC ; ; 

% instantiate types before specing % 
let ISPEC var thm a 

(let _,i a match (fst (dest_forall (concl thm))) var in 
SPEC var <INST_TYPE i thm)) ? failwith 'ISPEC';; 

% beta reduce a pair % 
let PAIR_BETA_ROLB = 

BETA_RULB o ( ONCE_REWRITE_RULE [UNCURRY_DEF] ) ; ; I i 

let PAIR_BETA_TAC a 

ONCB_REWRITE_TAC (UNC0RRY_DEP] THEN 

BBTA_TAC ; ; J 


%■ 
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Redefine TAC_PROOF so that it tells you about the unsolved goals. 


let TAC_PROOF : (goal # tactic) -> thm • 

set_fail_prefix 'TAC_PROOF' 

( \ (g, tac) . 

let gl,p « tac g in 
if null gl then p[] 
else ( 

message ( 'Unsolved goals t ' ) ; 
map print _goal gl; 
print _newline ( ) ; 
failwith 'unsolved goals ' ) ) / ; 


Si 

Removed from HOL 1.12. 

% 

let int_to_term = ( (C o curry) mlt_const "mum") o string_of_int and 
term_to_int = ( int_of _string o fst o dest_const ) > ; 


% 


Filet abs_theory.ini 

Description! 

Defines ML functions for defining generic structures. This is 
a refinement of the abstract .ml package. 

Author: (c) F. J. Windley 1991 

Date: 07 NOV 91 

Modification History: 

07NOV91 — - [PJW] Original file. 

22JAN92 [PJW] Changed make_abs_goal to account for different 

type instantiations. This allows proof of goals about 
more than one instance of a generic object. 

07JUN92 [PJW] Added sections to hide internal functions. 

Changed new_theory_obligation to take only one 
thob instead of a list of thobs. 

Added definition of STRIP_THOBS_THEN and redefined 
STRIP_THOBS_TAC in terms of it. 

Changed implementation of instantiate_abstract_theorems 
to allow the use of explicit theory obligations. 


•% 


% 


To Do: 

Extending absract representations 

This is difficult since HOL doesn't handle subtypes. 


■% 


print _newline ( ) ; ; 

message ( 'loading abs_theory' ) ; » 

% 

Extend the help search path 

% 

tty_write 'Extending help search path'; 

let path = library _pathname ( ) * ' /abs_theory /help/entries/' in 
set_help_search_path (union [path] (help_search_path() ) ) / ; 
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begin_section abs_theory; > 


load the patch to concat If the following ml statement prints a 
number less than 5000 and HOL version <= 2.00. 

lisp '(print call-arguments -limit) ' j j 


let test_string n = 
letrec aux s 1 = 

(i = 0) => s | aux ( 'x' *s) (1-1) in 
aux ' ' n ii 


■% 


% message 'patching concat loadf 'concat -patch' ; ; % 

% 

define some general list functions 
% 

let int_to_term « ( ( (C (curry m)c_const)) "tnum") o string_of_int) and 
term_to_int = (int_of_string o fst o dest_const ) ; ; 

letrec for n 1st x 
(n-0) -> [] 

| (hd 1st). (for (n-1) (tl 1st))); 

% function composition over a list of functions % 

letrec ol 1st x null (1st) => X I (hd 1st) o (ol (tl 1st)) ;; 

% ______ 

General purpose inference rules 

% 

let X_SPEC tm v thm = 

let tml ■ (fst o strip_forall o concl) thm in 
letrec SPBCl_aux tml sthm a 
(tml a []) => sthm I 
( (hd tml) > tm) *> 

(SPBC v sthm) I 

(OBN (hd tml) (SPECl_aux (tl tml) (SPBC (hd tml) sthm))) in 
SPBCl_aux tml thm) ; 

letrec CON J_ IMP th = 

let w s concl th in 
if is_imp w then 

let ante, cone = dest_inp w in 
if is_conj ante then 

let a,b x dest_conj ante in 
CONJ_IMP 

(DISCH a (DISCS b (MP th (CONJ (ASSUME a) (ASSUME b) ) ) ) ) 
else (DISCH ante (CONJ_IMP (UNDISCH th) ) ) 
else th; ; 


% 

define auxilliary functions for new_abstract_representation 
% 

let abs_type_info x (type_of o snd o dest_comb o fst o dest_eq o snd o 
strip_forall o snd o dest_abs o snd o dest_comb o 
snd o strip_forall o concl) ;; 


let dest_all_type ty x 

is_vartype ty x> (dest_vartype ty, [] t (type) list) I dest_type tyi i 

let 8tring_from_type ty « 
letrec string_aux ty x 
let s,tl - dest_all_type ty in 
null tl x> s | 
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let si = map string_aux tl in 

'('Mitlist (\x y. x A ',' A y) (butlast «1) (last al)) A ')' A s in 
(string_aux ty) * ' 


let ty_str name let = 

name A ' = ,A name A ' ,A 

(itlist (\x y. x A ' ' A y) (map string_f rom_type 1st) ")>; 
letref def_pre£ix = 'abs_def_';j 

% 

new_abstract_representations 

Defines type for representation and selectors on type. 

% 


let new_abstract_representation name 1st = 
let nl,tl = split 1st in 

let ty_axiom * de£ine_type name (ty_str name tl) in 
let cons_term » 

(snd o dest_comb o fst o dest_eq o and o strip_forall o end o 
dest_abs o and o dest_comb o end o strip_forall o concl) ty_axiom in 
let make_rec_def (x, y) « 

new_recursive_definition false ty_axiom (def_pre£ix A x) 

" A (mk_var (x,mk_typa ( 'fun' , [type_of eone_termj 
type_of y] ) ) ) A cons_term = A y" in 

(map2 make_rec_def (nl, (snd o strip_comb) cons_term) ) ; ty_axiom; > 


let get_abs_defs theory = 

let prefix_len » length o explode in 
map snd ( 

mapfilter (\x. (((for (pre£ix_len def_pre£ix)) o explode o fst) x) = 
(explode def_prefix) => x I fail) 

(definitions theory) ) > ; 


let instantiate_abstract_definition th_name def_name defn2 inst_list = 
let def = definition th_name def_name in 
let inst_def = 

OBN_ALL ( 

BBTA_ROLB ( 

RBWRITB_RULB (get_abs_def s th_name) ( 

ol (map (\(x,y) . IMST_TY_TBRM (match x y) ) inst_list) 

(SPBC_ALL def)))) in 


let new_de£ m 
OBN_ALL ( 

BBTA_RULE ( 

REWRITB_ROLE (get_abs_def s th_name) ( 
ol (map (\(x,y) . INST_TY_TBRM (match x y) ) inst_list) 
(SPBC_ALL defn2) ) ) ) in 

BBTA_RULB (ONCB_RBWRITB_RDLB [inst_def] new_def)j; 


% 

Auxilliary definitions for theory obligations 
% 


letref thobs » [] i (type#thm) list; j 

let thobs_prefix = 'thobs_';; 

let new_theory_obligations stm_pair » 
let get_thob_type thm « 

((type_of o rand o fst o dest_eq o 

snd o strip_forall o concl) thm) in 
let ia_not_pred_def tm « 

not ( (type_o£ o snd o dest_eq o 

snd o strip_forall o snd) tm = "sbool") in 
% let not_bool_list = (filter is_not_pred_def stmjpair) in % 
let mafce_def (x,y) « ( 
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let naw_def = new_def inition (thobs_pref ix A x, y) in 
(get_thob_typa new_def ,new_daf ) ) in 
(ia_not_pred_def stm_pair ) => 

failwith 'NON PREDICATE TERMS IN THEORY OBLIGATIONS' I 
(thobs := [make_def stm_pair] 0 thobs) ;();; 


lat get_thobo thaory = 

let prefix_lan = length o explode in ( 

let get_thob_type thm = 

((type_of o rand o £at o dest_eq o 

end o atrip_£orall o concl) thro) in 
let the_thoba « 

filter (\x. (((for (pre£ix_len thobs prefix') ) o explode o fat) x) = 

(explode thobs_pre£ix) ) 

(definitions theory) in 

thobs i= (map (\(x,y). ( get_thob_type y, y) ) the_thobs) 9 thobs; 
thobs ; ; 


* 

Functions for proving abstract goals. 
* 


let orelsef £ g x = (£ x) ? (g x) ; ; 
ml_curried_infix 'orelsef';; 
let D (f ,g) x = (£ x,g x) ; ; 
ml_paired_inf ix ' D ' ; ; 
let make aba goal (hyps, go) - 

if null (thobs) than failwith 'No thaory obligations defined.' else 
let vl,pred « strip_forall go in 
let ql * union vl (frees pred) in 

let type_cons_of = fst o (deat_type orelsef (dest_vartype D \x.[l)) in 
let thob_types ■ map ( type_cons_of o fst) thobs in 
let tmp_goal » liat_mk_forall 

(filter (\x. not(mem ( ( type_cons_of o type_of) x) thob_types)) ql, 
pred) in 

let vars - filter (\x. mem ( (type_cons_of o type_of) x) thob_types) ql in 
lot make_hyps var = 
let get_thob_var tm » 

( (rand o fst o dest_eq o snd o strip_forall ) tm) in 
let thob ■ snd (((assoc o type_cons_of o type_of) var) 

(map (typa_cons_of # I) thobs)) in 
(conjuncts o snd o dast_eq o concl o 
(INST_TY_TBRM (match ( (get_thob_var o concl) thob) 

var) ) o 

SPBC_ALL) thob in 

(hyps9 (flat (map make_hyps vars)), tmp_goal) ; ; 

%Prove and store an abstract theorem^ 
let prove_abe_thm(tok, w, taci tactic) = 

lat gl,prf a tac (make_abs_goal ((],w)) in 
if null gl then save_thro (tok, prf[]) 

else 

(message ( 'Unsolved goals i ' ) ; 
map print_goal gl; 
print_newline ( ) ; 

failwith ( 'prove_thm — could not prove ' * tok));; 


% ABS_TAC_PROOF (g,tac) uses tac to prove the abstract goal g % 
let ABS_TAC_PROOF i (goal # tactic) -> thm - 
set_f ail_praf ix 'ABS_TAC_PROOF' 

(\(g.tac) . 

let new_g ■ (make_abs_goal g) in 
let gl,p = tac new_g in 
if null gl then p[] 

else ( 
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massage ( 'Unsolved goals i ' ) ; 
map print _goal gl; 
print_newline ( ) ; 
f ailwlth 'unsolved goals ' ) ) ; ; 


%Set the top-level goal/ Initialize % 
let set_obs_goal g x 

let new_g = (make_obs_goal g) in 
change_state (obs_goals (new_stack new_g) ) ; ; 

let g x \t. set_abs_goal ( [] ,t) ; ; 

let STRIP_THOBS_THEN ttao = 

if null(thobs) then f ailwlth 'No theory obligations defined.' else ( 

REPEAT QEN_TAC THEN 

STRXP_OOAL_THBN 

(ttac o ( REWRITE_RULE (map snd thobs))));; 


let STRIP_THOBS_TAC ( (asl, thm) :goal) = 

STRIP_THOBS_THEN STRIP_ASSUME_TAC ( asl , thm) ) ; 

% 

Functions for USXNO an (distract theory 




let new_abstract_parent s *= 
new parent s; 
get_thobs s; 

Oil 

let EXPAND_THOBS_TAC name ■ 

REWRITB_TAC ((map end thobs) 0 get_obs_defs name);; 


let instantiate_abstract_theorero th_name thm_name inst_list lemma_list = 
let thm = (theorem th_name thm_name ) in 
let inst_thm = 

CONJ_IMP ( 

BETA_RULB ( 

RBWRITB_RULE ((map snd thobs) 0 get_obs_defs th_nome) ( 

(ol (map (\(x,y) . INST_TY_TERM (match x y) ) inst_list))( 

(DISCH_ALL o (ol (map (\1.(X_SPEC (fst 1) (fst 1))) inst_list))) 
thm)))) in 
let mk_thm_list x 

CONJUNCTS o BBTA_RULB o 

( REWRITB_RULE ((map snd thobs) 0 get_abs_defs th_name) ) in 
let thm_li»t x 

map (\y. find (\x.(concl x) » y) 

(flat (map mk_thm_list lemma_list) ) ) 

( (hyp o UNDISCH_ALL o CONJ_IMP) inst_tbm) in 
IiXST_MP thm_list inst_thm; ; 


% 

Modify the standard commands so that they know about obligation 
lists. 


let close_theory_orig x close_theory; ; 


■% 


let close_theory x x 
thobs i x t ] ; 
close_theory_orig x; ; 

let new_thoory_orig x new_theory; ; 

let new_theory x > 
thobs lx (] ; 
new_theory_orlg x; ; 
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Bind exportable functions to it 


r 


- - -% 

( 

ABS_TAC_PROOF, 

BXPAND_THOBS_TAC , 

STRIP_THOBS_TAC , 

STRIP_THOBS_THBN , 

abs_typa_lnfo, 

close_theory, 

g< 

instantiata_abstract_daf inition, 
instantiata_abstract_thaoram, 
new abstract parent , 
newaba t r ac t_r epr a a ant at ion , 
naw_thaory, 

naw_thaory_obligat ions , 

prove_abs_thm, 

sat_abs_goal 

);; 

and_section abs_theory; ; 

% 

Racovar axportabla functions from it. 

% 

1st ( 

ABS_TAC_PROOF, 

BXPAND_THOBS_TAC , 

STRIP_THOBS_TAC , 

STRIP_THOBS_THBN, 
aba_typa_inf o , 
closa_thaory, 
g, 

instantiata_abatract_da£ inition, 
instantiata_abstract_thaoram, 
naw_abstract_parant , 
naw_abstract_raprasantation, 
naw_thaory, 

naw_thaory_obligations , 
prova_abs_thm , 
sat aba goal 

) = it;> 




Filai pt_def s . ml 

Author i (c) D.A. Fura 1992-93 

Datai 15 February 1993 

Dafinitiona used in the P-Port trans-level proof. 
% 


let New_Stata_Is_PA « new_def inition 
( ' New_Stata_Xa_PA ' , 

"1 (s' ttimaC->pc_state) (a' :timaC->pc_env) (t' itimeC) 
New_State_Is_PA s' a' t' = 

( (P_fsm_rstS (s ' t') => PA I 
( (P_fsm_«tataS(s' t') = PH) => 

<P_fsm_hol<LS(s' t') => PA | PH) I 
( (P_fsm_»tataS(s ' t') = PA) => 

( (P_fsm_mrqtS(s ' t') \/ 

-P_f sm_crqt_S ( a ' t') /\ -P_f sm_cgnt_S ( a ' t ' ) ) => 
( ( ~P_f sm_hold_S ( a ' t') /\ P_f sm_lock_S ( s ' t')) => 
( (P_fsm_sackS(s' t') /\ P_fsm_hold u .S(s' t')) => PA 
( (P_fsm_sackS(s' t') /\ 

-P_f sm_hold_s (s' t ' ) / \ 

~P_fsm_lock_S(s' t')) => PA | 

( (P_f sm_sackS (s ' t') /\ 


PD | 

PH | PA)) I 
I 


8 



~P_*Sm_hold_S(s' t') A 

P_fsnV_lock_S (s' t')) => PH | PD)))))) = PA)" 


lot New_State_Is_PD = now_dof inition 
( 'New_State_Is_PD ' , 

"I (s' itimeC->pc_stato) (o' i timoC->pc_env) (t' itimoC) . 
Now_Stato_Is_PD »' o' t' = 

( (P_fsm_rstS(s' t') => PA I 
( (P_£sm_sCatoS(s' t') = PH) => 

(P_£sm_hold_S(s' t ' ) => PA | PH) | 

( (P_£snv_statoS(s' t') = PA) => 

( (P_£srt_jnrqtS (s ' t') \/ 

~P_£am_orqt_S (s' t') A ~P_f sm_cgnt_S (s ' t ' ) ) => PD I 
( ( -P_£sit_hold_S ( s ' t') A P_f sm_lock_S ( s ' t ' ) ) => PH I PA) ) I 
( (P_£sm_sackS(s' t') A P_fsnutold_S (s' t')) => PA I 
( (P_£am_sackS(s ' t') A 
-P_f snv_hold_S (s' t ' ) / \ 

~P_£sm_loc)c_S (s ' t')) => PA | 

( (P_£sm_BackS(s' t') A 

-P_£ sm_hold_S (s' t ' ) A 

P_£sm_loo)c_S ( s ' t ' ) ) => PH | PD)))))) = PD)" 


lot Now_Stato_Is_PH = now_do£ inition 
( 'Now_Stato_Is_PH' , 

"1 (s' i timoC->pc_stato) (o' t timoC->pc_onv) (t' itimoC) . 
Now_Stato_Ia_PH s' o' t' * 

( (P_£sm_r»ts(s' t') => PA I 
( (P_fsHL.»tatoS(a' t') = PH) => 

(P_f»nv_hol<LS(a' t') x=> pa I PH) I 
t (P_t»iA_»tatoS(s' t') = PA) => 

( (P_£sm_mrqtS (s ' t') \/ 

-P_£ snv_crqt_S ( a ' t') /\ -P_£sm_cgnt_S( s ' t')) => PD I 
( (~P_£sm_li°ld_S<s' t') /\ P_f sm_look_S ( s ' t ' ) ) => PH I PA) ) I 
( (P_£sm_sackS(s ' t') /\ P_fsnL_hold_S(s' t')) => PA I 
( (P_£sm_sacks(s' t') /\ 

-P_£sm_hold_S (s' t') /\ 

-P_£sm_lock_s (s' t ' ) ) => PA | 

( (P_£sm_o»=kS(s' t') /\ 

~P_£ain_hold_S ( s ' t’) /\ 

P_£snL,lock_S(s' t')) => PH | PD)))))) = PH)" 


lot Now_P_Rqt_Is_TRUB = now_do£ inition 
( ' Now_P_Rqt_Is_TRtJE ' , 

"! (s' itimoC->pc_stato) (o' i timoC->pc_onv) (t' itimoC) . 
Now_P_Rqt_Is_TRUE s' o' t' = 

( -SND ( L_ads_E ( o ' t')) /\ SND ( L_don_E ( a ' t')) \/ 

SND(RatB(o' t')) \/ 

(P_sizoS (s ' t') - (p_downS (s' t') => wordn 1 1 I wordn 1 0)) /\ 

-SND ( l_ardy_B ( o ' t ' ) ) /\ 

Now_Stato_Is_PD s' o' t') »> 

( ( (~SND(L_ada_E(o' t')) /\ SND (L_don_E (o ' t'))) /\ 

- (SND (RstE (o' t')) \/ 

(P_sizoS (s ' t') = (P_downS (s' t') => WORDN 1 1 I WORDN 10)) A 
-SND ( I_srdy_E ( o ' t ' ) ) A 
Now_Stato_Xs_PD s' o' t ' ) ) => T | 

( (-(-SND(L_ads_B(o' t ' ) ) /\ SND ( D_don_E ( e ' t’))) A 
(SND (RstE (o' t')) \/ 

(P_sizoS (s ' t') * (P_dovmS (s ' t') => WORDN 1 1 I WORDN 10)) A 
-SND ( X_ardy_E ( e ' t ' ) ) /\ 

Now_Stato_Xs_PD s' o' t ' ) ) => P | 

( (-(-SND(L_ads_E(o' t ' ) ) A SND ( L_don_B ( • ' t ' ) ) ) A 
- (SND (RstE (o ' t')) \/ 

(P_sizoS(s' t') = ( P_downS ( s ' t') => WORDN 1 1 | WORDN 1 0)) A 
-SND ( I_srdy_B ( o ' t')) /\ 

Now_Stato_ls_PD s' o' t')) => F I ARB))) I P_rqtS(s' t’)" 


lot Sack_Sig_Is_TROB = now_dof inition 
( ' Sack_Sig_Is_TRUB ' , 
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"! (s i timeC->pc_state) (a s timeC->pe_env) . 

Sack_Sig_Is_TRUE sea 
(\uttlmaC. 

(P_sizeS (s u) = (P_downS(s u) => WORDN 1 1 I WORDN 10)) /\ 

~SND(I_srdy_E(e u) ) /\ J 

New_State_Is_PD s a u) " 

);; 

let P_Size_Zero_Out_Xs_TRUB = new_def inition i 

( 'P_Size_Zero_Out_Is_TRUE ' , 

"1 (s' itlmaC->po_stata) (t' stimeC) . 

P_Size_Zero_Out_Is_TRUE a ' t ' = 

P_sizeS (a ' t') = (P_downS(a' t') => WORDN 1 1 I WORDN 1 0)" 

);; 


File i pt_tacs.ml 

Authors (c) D.A. Fura 1992-93 

Dates 16 February 1993 

Custom tactics used in the P-Port trans-level proof. 

• - — % 


let LIMP = (\thm. OBN_ALL (fat ( EQ_IMP_RULE (SPBC_ALL thm) ) ) ) j > 
let RIMP = ( \thm. OBN_ALL (and (BQ_IMP_ROLB (SPBC_ALL thm) ) ) ) ; j 

% 


Coda from Brian Graham. See "Dealing with the Choice Operator 
in HOLflfl" by Brian Graham for more information. 


% 

SELECT_UNIQUB_RULR s 


("x","y") A1 I- Q [y] A2 I- !i y.(Q[js]/\Qly]) ==> (x=y) 

A1 U A2 | - (Gx . Q [x] ) = y 

Permits substitution for values specified by the Hilbert Choice 
operator with a specific value, if and only if unique existence 
of the specific value is proven. 

% 

let inl_conv_rule m CONV_RULB o ONCE_DBPTH_CONV o CHANGED_CONV ; ! 

let SBLECT_UNIQUB_RULB (x,y) thl th2 * 

let Q = mk_abs (x, subst [x,y] (concl thl)) 
in 

let thl' * SUBST [SYM (BETA_CONV " A Q *y"), "bsbool"] "bsbool" thl 
in 

(MP (SPBCL ["$9 *Q"j y] th2) 

(CONJ (inl_conv_rule BETA_CONV (SELBCT_INTRO thl')) thl));; 

% 

SELBCT_UNIQUB_TAC s 
ss&assxsssBsnrss8B 

[ A ] "(Bx. Q(x]) = y" 

SSESSSBXBBBrBaaSBBBBCSBBBSrBSBBSSBBBSSSSSasaaSSSSSn 

t A ] "Q ty] " [ A ] "lx y. <Q[x]/\Q[y)) ==> (x-y)" 

Given a goal that requires proof of the value specified by the 
Hilbert choice operator, it returns 2 subgoals s 
1. "y" satisfies the predicate, and 
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2. unique existence of the value that satisfies the predicate. 


let SELECT_UNIQUE_TAC I tactic (gl,g) = 
let Q,y = dest_eq q 
in 

let x.Qx = dest_select Q 
in 

let x' = variant (x.freesl(g.gl) )x 
in 

let Qx' = subst [x', x] Qx 
in 

( [ql, subst [y,x]Qx; 

ql, "!*x A x'. ( A Qx /\ A Qx') ==> ( A x = A x')"], 

(\thl. SELECT_ONIQUE_RULB (x.y) (hd thl) (hd (tl thl))));; 

letrec Find_Imp tm = 
let ret_pair = 

if is_imp tm & is_exists ( f st (dest_imp tm) ) then {'exl'.tm) 

else if is_inq> tm & is_exists (snd(dest_imp tm) ) than {'exr'.tm) 

else if is_inq> tm & is_forall (fat (dest_imp tm) ) then ('forl'.tm) 

else if is_imp tm & ls_forall (snd(dest_imp tm) ) then ('forr'.tm) 

else if is_imp tm then 

if not (f st (Find_Imp(f st (dest_imp tm) ) ) = 'a') then 
Find_lmp(fst (dest_imp tm) ) 
else Find_Imp(snd(dest_imp tm) ) 
else if is_forall tm then Find_Imp(snd(dest_forall tm) ) 
else if is_exists tm then Find_Xmp(snd(dast_exists tm) ) 
else ('n'.tm) 
in ret_pair; ; 

let QOANT_OUT_IMP_TAC i tactic = 

\ (asl, w) . 

let str, tm = Find_Imp w in 

if str - 'fori' then RBWRITE_TAC [ LBFT_IMP_FORALL_CONV tm] (asl,w) 
else if str a 'forr' then REMKITE_TAC [ RIOHT_IMP_FORALL_CONV tm] (asl.w) 
else if str » 'axl' then REWRITE_TAC ( LEFT_XMP_EXISTS_CONV tm] (asl,w) 
else if str = 'exr ' then RBWRITE_TAC [RIQHT_IMP_BXISTS_CONV tm] (asl,w) 
else NO_TAC (asl.w) 

? failwith 'QOANT_ODT_IMP_TAC'j; 

letrec Find_Aam_Tm (w, tm) = 

if is_eq w 6 (rhs w = tm) then (*y',w) 

else 

if is_im© w 

then if f st (Find_Asm_Tm(fst (dest_imp w),tm)) » 'y' 
then Find_Asm_Tm(fst (dest_iop w),tm) 
else if fst (Find_Asm_Tm(snd(dast_imp w) ,tm) ) = 'y' 
then Find_Asm_Tm ( snd ( dest_imp w),tm) 
else (*n',w) 
else if is_neg w 

then if fst (Find_Asm_Tm( (dest_neq w),tm)) = 'y' 
then Find_Asm_Tm( (dest_neg w),tm) 
else ('n',w) 
else if is_cond w 

than if f st (Find_Asm_Tm(f st (dest_cond w),tm)) = 'y' 
then Find_Asm_Tm(f at (dest_cond w),tm) 
else if f st (Find_Asm_Tm(f st (snd(dest_cond w) ) , tm) ) = 'y' 
then Find_Asm_Tm(fst (snd(dest_cond w)),tm) 
else if fst (Find_Asm_Tm(snd(snd(dest_cond w) ) ,tm) ) = 'y' 
then Find_Asm_Tm ( snd ( snd ( dest_cond w)),tm) 
else ('n',w) 
else if is_eq w 

then if f st (Find_AsrruTm(fst (dest_eq w),tm)) = 'y' 
then Find_Asm_Tm(fst (dest_eq w),tm) 
else if f st (Find_Asm_Tm(snd(dest_eq w),tm)) = 'y' 
then Find_Asm_Tm ( snd ( dea t_eq w),tm) 
else ('n',w) 
else ('n',w );; 

let ASM_CASES_MATCH_RHS_TAC tm : tactic = 

\ (asl.w) . 
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let »tr,tm_ret = Find_A»m_Tm (w,tm) in 

if str * 'y' then ASM_CASES_TAC tn\_ret (asl,w) 

else ALL_TAC (asl,w) 

? failwith 'ASM_CASES_MATCH_RHS_TAC' j j 

let NO_IMP_ASSOMB_TAC thm (tactic = 

\ (asl,w) . 

let stripped_thm = snd(strip_forall(snd(dest_tbm thm))) in 
if is_imp(stripped_thm) & not (snd(deet_imp (stripped_thm) ) = "F") 
then ALL_TAC (ael,w) 
else ASSUMSJFAC thm (asl,w) 

? failwith 'NO_IMP_ASSOMB_TAC ' j ) 

let NO_0NQUANT_IMP_ASSOMB_TAC thm i tactic = 

\ (asl.w) . 

let stripped_thm = snd(dest_thm thm) in 

if is_imp(stripped_thm) 6 not (snd(dest_imp (stripped_thm) ) = "F") 
then ALL.TAC (asl,w) 
else ASSOMB_TAC thm (asl,w) 

? failwith 'NO_IMP_ASSOHB_TAC' ; ; 

let NO_TROTH_ASSUMB_TAC thm i tactic « 

\(asl,w) . 

if snd(dest_thm thm) = "T" than ALL_TAC (aal,w) 
else ASSUME_TAC thm (asl,w) 

? failwith ' NO_TRUTH_ASSUMB_TAC ' ) ) 

let SPBC_DNDISCH_TAC (tml,tm2) : tactic = 

\(asl,w) . 

( UNDISCH_TAC tml 

THEN PORB_ONCE_RBWRITB_TAC [LEFT_IMP_FORALL_CONV (mk_imp (tml,w) ) ] 
THEN BXISTS_TAC tml) (asl,w) 

? failwith 'SPBC_UNDISCH_TAC ' j ; 

let NRULB_ASSUM_TAC (tm.rul) : tactic * 

\(asl,w) . 
let f - 
(\thm. 

if snd(dast_thm thm) = tm then ASSUMB_TAC (rul thm) 
else ASSOME_TAC thm! in 

POP^ASSDJLLIST (MAP_EVBRY (\thm. f thm)) ((rev asl) ,w) 

? failwith 'NR0LE_A3SDM_TAC'; ; 

let SPBC_ASSUM_TAC (tml, tml) i tactic » 

\(aal,w) . 
let f « 

(\thm. 

if snd(dast_thm thm) = tml then ASSUMB_TAC (SPEC tml thm) 
else ASSUME_TAC thm) in 

POP_ASSDM_LIST (MAP_BVBRY (\thm. f thm)) ((rev asl) ,w) 

? failwith '3PEC_ASS0M_TAC';; 

let SPBCL_ASSUM_TAC (tml, tml list ) i tactic = 

\(asl,w) . 
let f - 
(\thm. 

if snd(dest_thm thm) = tml then ASSUMB_TAC (SPECL tmllist thm) 
else ASSUME_TAC thm) in 

POP_ASSOM_LIST (MAP_EVERY (\thm. f thm)) ((rev asl),w) 

? failwith ' SPBC_ASStJM_TAC ' ) ) 

let OBN_ASSUM_TAC (tml, tml) i tactic = 

\(asl,w) . 
let f = 

(\thm. 

if snd(dest_thm thm) • tml then ASSUME_TAC (GEN tml thm) 
else ASSUME_TAC thm) in 

POP_ASSUM_LIST (MAP.EVERY (\thm. f thm)) ((rev asl), w) 

? failwith ' GEN_ASSUM_TAC ' » ; 

let CHOOSE_ASSOM_TAC tml (tactic = 

\(asl,w) . 


12 



( UND ISC H_T AC tml 

THEN PORB_ONCB_REWRITE_TAC [LBFT_IMP_EXISTS_CONV (mk_imp (tml.w))] 

THEN QBNJTAC 

THEN DISCH_TAC) (aal.w) 

? failwith 'CHOOSE_ASSUM_TAC';> 

let RBWRITB_ASSUM_TAC (tm.tliat) i tactic = 

\ (aal.w) . 
let f = 

( \thm. 

if and(deat_thro thm] ■ tm then ASSUMB_TAC (RBWRITB_RUI,B tliat thm) 
else ASSUMB_TAC thm) in 

POP_ASSUM_LIST (MAP_BVBRY (\thm. f thm)) ({rev asl) ,w) 

? failwith , RBWRITE_ASSUM_TAC'n 

let PURE_REWRITB_ASSOM_TAC (tm.tliat) i tactic = 

\ (aal,w) . 
let f = 

( \thm. 

if and(deat_thm thm) = tm 

then ASSUME_TAC ( PURB_REWRITB_RULE tliat thm) 
elae ASSUMB_TAC thm) in 

POP_ASSUM_LIST (MAP_BVBRY (\thm. f thm)) ((rev aal) ,w) 

? failwith ' PDRE_REMRXTE_ASSUM_TAC ' ; j 

let PUHE_REWRITE_ASSOM_TAC (tm.tliat) itactic = 

\ (aal.w) . 

(UNDISCH_TAC tm 
THEN PDRE_REWRITE_TAC tliat 
THEN DISCH_TAC) (aal.w) 

7 failwith 'PORE_REWRITE_ASSUM_TAC'ji 

let PURE_ONCE_REWRITE_ASSUM_TAC (tm.tliat) itactic = 

\ (aal.w) . 
let f = 

( \thm. 

if and(dest_thm thm) = tm 

then ASSOME_TAC ( PURE_ONCE_REWRITB_RULE tliat thm) 
elae ASSUMR_TAC thm) in 

POP_ J ASSUM_LIST (MAP_EVERY (\thm. f thm)) ((rev aal) ,w) 

? failwith 'PORE_ONCB_REWRITE_ASSUM_TAC ' ) ) 

let DBLBTE_ASSUM_TAC tm itactic = 

\ (aal.w) . 
let f = 

( \thm. 

if and(deat_thm thm) = tm 
then ALL_TAC 
elae ASSOMB_TAC thm) in 

POP_ASSUM_LIST (MAP_BVERY (\thm. f thm)) ((rev aal),w) 

? failwith / PURE_ONCB_RBWRITB_ASSUM_TAC ' ; ; 

let ASM_RBWRITB_ASSOM_TAC (tm.tliat) itactic = 

\ (aal.w) . 

(UNDISCH_TAC tm 
THEN ASM_REWRITB_TAC tliat 
THEN DISCH_TAC) (aal.w) 

? failwith ' ASM„RBWRITE_ASSUM_TAC ' j , 

let RBWRITE_SPBC_ASSUM_TAC (tml, tm2 , tliat ) itactic = 

\ (aal.w) . 

(UNDISCH_TAC tml 

THEN PURE_ONCB_RBWRITB_TAC (LBFT_IMP_PORALL_CONV (mA_imp (tml.w) ) ] 
THEN EXISTS _TAC tm2 
THEN REWRITE_TAC tliat 
THEN DISCH_TAC) (aal.w) 

? failwith 'REWRITB_SPEC_ASSUM_TAC';» 

let ASM_RBWRITB_SPBC_ASSUM_TAC (tml , tm2 , tliat ) itactic = 

\ (aal.w) . 

(UNDXSCH_TAC tml 

THEN PURB_ONCB_REWRITB_TAC [ LEPT_XMP_FORALL_CONV (mk_imp (tml.w))] 
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THEN BXISTS_TAC tm2 
THEN ASM_REWRITE_TAC tlist 
THEN DISCH_TAC ) (asl,w) 

7 failwith 'ASM_RBWRITB_SPBC_ASSUM_TAC , >> 

lot USTRIP_RBWRITE_ASSUM_TAC (tm,tlist) itaotic = 

\ (asl,w) . 

( UNDISCH_TAC tm 
THEN REWRITE_TAC tlist 
THEN BBTA_TAC 

THEN REPEAT QUANT_OOT_IMP_TAC 

THEN REDUCB_TAC 

THEN REPEAT STRIP_TAC) (asl,w) 

7 failwith 'OSTRIP_REWRITB_ASSUM_TAC';j 

lot USTRIP_ASM_HBWRXTB_ASSUM_TAC (tm, tlist) itaotic = 

\ (asl,w) . 

(UNDISCH_TAC tm 
THEN ASM_RBWRITB_TAC tlist 
THEN BBTA_TAC 

THEN REPEAT QOANT_OOT_IMP_TAC 

THEN RBDUCB_TAC 

THEN REPEAT STRXP_TAC) (asl,w) 

7 failwith 'DSTRIP_ASM_RBWRITE_ASSUM_TAC ' ; ; 

lot UNDISCH_MATCH_LHS_TAC tm I tactic * 

\(asl,w) . 

1st f = 

(\thm. 

let stripped_thm = snd(strip_forall (snd(dest_thm thm) ) ) in 
if is_aq(stripped_thm) 

than if lhs (strippad_thm) = tm 

than UNDISCH_TAC (snd(dast_thm thm)) 
also ALL_TAC 
also AIiL_TAC ) in 

ASSUH_LXST (MAP_KVBRY (\thm. f thm)) (asl,w) 

7 failwith 'ONDISCH_MATCH_LHS_TAC';; 

lot SPEC_UNDISCH_MATCH_LHS_TAC (tml,tm2) : tactic m 
\ (asl,w) . 
lot f *= 

( Vthm. 

lat 8trippod_thm = snd(otrip_forall (snd(dast_thm thm))) in 
if is_eq ( strippod_thm) 

than if lhs (strippod_tbm) = tml 

than ( UNDISCH_TAC (snd(dsst_thm thm) ) 

THEN PDRE_ONCE_REWRITE_TAC 

(LEFT_IMP_PORALL_CONV 

(mk_imp (snd(dast_thm thm) ,w) ) ] 
THEN EXXSTS_TAC tm2 ) 
also ALL_TAC 
alsa ALL_TAC) in 

ASSOM_UST (MAP_BVBRY (\thm. f thm)) (asl,w) 

7 failwith 'SPBC_ONDXSCH_MATCH_LHS_TAC'; ; 

lot SPBCJONDISCH_MATCH_RHS_TAC <tml,tm2) : tactic = 

\(asl,w) . 
let f - 
( \thm. 

lat stripped_thm * snd(strip_forall(snd(dest_thm thm))) in 
if is_eq(strippad_thm) 

than if rhs (stripped_thm) = tml 

then <ONDISCH_TAC (snd(dest_thm thm)) 

THEN PURB_ONCB_REWRITB_TAC 

[LBFT_IMP_FORALL_CONV 

(mk_imp (snd(dost_thm thm) ,w) ) ] 
THEN EXXSTS_TAC tm2 ) 
else ALLJTAC 
alsa AXili_TAC ) in 

ASSOM_LIST (MAP_EVERY (\thm. f thm)) (asl,w) 

7 failwith 'SPBC_ONDISCH_MATCH_RHS_TAC' J ; 
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Filet 


Filet RANGB_INDOCT.ml 

Author! (c) P. J. Windley 1993 

Description t 

Defines an induction tactic for use with ranges . 
Modified! 

23FBB93 (PJW) — Original file. 


■% 


let SOC_LBSS_EQ = PROVB 

("!m n. (SOC m) <= n ==> m <= n", 
REWRITE_TAC [LBSS_OR_BQ] 

THEN REPEAT STRIP_TAC 
THENL [ 

IMP_RBS_TAC SUC_LESS 
THEM ASM_RBWRITK_TAC [] 

I 

POP_ASSUM (S0BST1_TAC o GSYM) 
THEN RBWRITB_TAC [LESS_SOC_REFL] 
] 

) 1 1 


let SOC_LBSS_BQ ■* mk_thm 

([], "Im n. (SOC m) <« n ==> m <= n");j 

let RANGE_PLOS_INDOCT_LBMMA = PROVE 
("1 P a b . 

(I u . (P(u + a) A SOC(u + a) <« b »=> P(SUC(u + a) ) ) ) A 
( (a <*= b) «=> P a) ««> 

(! u . (u + a) <■ b =»> P (u + a))", 

REPEAT GBN_TAC 
THEN STRIP_TAC 

THEN IMP_RBS_TAC SOC_LESS_BQ 
THEN INDOCT_TAC 

THEN ASM_REWRITB_TAC [ADD_CLAUSBS] 

THEN REPEAT STRIP_TAC 
THEN IMP_RBS_TAC SOC_LHSS_EQ 
THEN RBS_TAC 

) ;; 

let RANGR_INDOCT_LEMMA <* PROVE 
("! P a b . 

(! u. (P (a + u) A SOC (a + u) <= b ==> P(SOC(a + u) ) ) ) A 
( (a <= b) «=> P a) =*> 

It' . a <« t' ■«> t' <» b ==> P t'", 

REPEAT GEN_TAC 

THEN DISCH_THEN (STRIP_ASSUME_TAC O ONCB_REWRITE_RULB [ADD_SYM] ) 
THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC RANGE_PLUS_INDOCT_LEMMA 
THEN ASSOM_LIST (\asl . STRIP_ASSOME_TAC ( 

REWR X TE_RU LB [MATCH_MP SUB_ADD (el 3 asl) ] ( 

SPEC *t' - a" (el 1 asl)))) 

THEN RBS_TAC 

) ;> 

let RANGE_INDOCT_TAC = 

MATCH_MP_TAC RANGE_XNDOCT_LBMMA 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC SOC_LBSS_EQj ; 


% 
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Tasting 


g "It' . a <b t' ==> t' <= b “=> P t'"it 
g "It' . (a+1) < = t' ==> t' <= b ==> P t 

g "It' . a <•> t' =■> t' <= (b+1) P t 

g "It' . (a+1) <= t' »=> t' <= (b+1) ==> p t'";j 

g "It' . (a-1) <= t' c» t' <= b ==> P t 


a ( RANOE_INDUCT_TAC ) ; > 


%• 


Filat 


assoc. ml 


Author: (c) D.A. Fura 1992 

Data: 22 October 1992 


ASS0C_ADD_ADD1 : 
ASS0C_ADD_ADD2 : 
ASS0C_ADD_ j ADD 3 : 
ASSOC _ADD _ADD4: 
ASS0C_ADD_ADD5 : 
ASSOC_ADD_ADD6 : 
ASSOC_ADD_SOBl : 
ASS0C_ADD_SUB2 : 
ASS0C_ADD_SUB3 : 
ASS0C_ADD_SUB4 : 
ASS0C_S0B_ADD1 : 
ASS0C_StJB_ADD2 : 
ASSOC_SCB_ADD3 : 
ASS0C_S0B_ADD4 : 
ASSOC_SUB_SUBl : 
ASSOC_SOB_StJB2 : 


_ U 
_ U 
_ U 
_ U 
. u 
_ « 


_ // 

_ u 


i involving + 

1 

i 






b 

c 

(a + 

b) + c = a + (b 

+ c) " 





b 

c 

(a + 

b) + c = a + (c 

+ b)" 





b 

c 

(a + 

b) + c = b + (a 

+ c)" 





b 

c 

(a + 

b) + c = b + (c 

+ a)" 





b 

c 

(a + 

b) + c = c + (a 

+ b)" 





b 

c 

(a + 

b) + c = c + (b 

+ a)" 





b 

c 

c < = 

b ==> ( (a + b) - 

■ c * a + 

(b - c))" 




b 

c 

c < = 

a ==> ( (a + b) - 

c = b + 

(a - c))" 




b 

c 

b <*= 

c ==> ( (a + b) - 

c = a - 

(c - b))" 




b 

c 

a < = 

c ==> ( (a + b) - 

■ c = b - 

(c - a))" 




b 

c 

b <* 

a A b <= c ==> 

((a - b) 

+ c = a + 

(c 

- b)) 


b 

c 

((a ■ 

- b) + c = c + (a - b) )" 





b 

c 

b <= 

a /\ c <= b ==> 

((a - b) 

+ c = a - 

(b 

- c)) 


b 

c 

(a = 

b) ==> ((a - b) 

+ c = c 

- (b - a))" 




b 

c 

(a - 

b) - c = a - (b 

+ c) " 





b 

e 

(a - 

b) - c a a - (c 

+ b)" 





set_flag ('timing', true )>; 
system 'rm assoc. th'/; 
naw_theory ' assoc ' > ; 
let SYM_RULE - 

(CONV_RULE ( ONCE_DHPTH_CONV SYM_CONV) ) 

? failwith ' SYM_RULK ' j ; 

let ASS0C_ADD_ADD1 a prove_thm 
( ' ASS0C_ADD_ADD1 ' , 

"I a b c . (a + b) + c « a + (b + c)", 

REMRITB_TAC [ADD_ASSOC] 

)»l 

let ASSOC_ADD_ADD2 * prove_thm 
( ' ASSOC_ADD_ J ADD2 ' , 

"I a b c . (a + b) + c ■ a + (c + b)", 

REPEAT GBN_TAC 

THEN SOBST_TAC [SPECL ["c:num"j "b:num"] ADD_SYM] 

THEN REWRITB_TAC [ ASS0C_ADD_ADD1 ] 

);> 

let ASSOC_ADD_ADD3 = prova_thm 
( ' ASS0C_ADD_ADD3 ' , 

"1 a b c . (a + b) + c = b + (a + c)". 


16 



REPEAT GEN_TAC 

THEN SOBST_TAC [SPECL ["atnum"; "btnvm") ADD_SYM] 

THEN REWRITB_TAC [ASSOC _JU)D_ADD1 ] 

) ; i 

lot ASSOC_ADD_ADD4 * proVO_thm 
( ' ASS0C_ADD_ADD4 ' , 

"1 a b c . (a + b) + c = b + (c + a)", 

REPEAT QEN_TAC 

THEN SUBST_TAC [SPECL [ "a ! num" ; "b i num" ] ADD_SYM] 

THEN REWRITE _TAC [ ASS0C_ADD_ADD2 ] 

lot ASS0C_ADD_ADD5 = provo_thm 
( 'ASSOC _ADD_ADD5 ' , 

"1 a b c . (a + b) + c = c + (a + b)", 

RBWRITE_TAC [SPECL ["a+b") "ctnum") ADD_SYM] 

)>; 

lot ASSOC_ADD_ADD6 = provo_thm 
( 'ASSOC _ADD_ADD6 ' , 

"I a b c . (a + b) + c = c + (b + a) ", 

REPEAT GEN_TAC 

THEN SUBST_TAC [SPECL ["at num" ; "b i num" ] ADD_SYM] 

THEN REWRITB_TAC [SPECL ["b+a"; "Otnum"] ADD_SYM] 

);; 

lot ASS0C_ADD_SUB1 = provo_thm 
( ' ASSOC JU)D_SUB1 ' , 

"1 a b e . c <= b «=> ((a+b) - c = a + (b - c))", 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC LBSS_EQ_ADD_SOB 
THEN ASM_REWRITE_TAC [ ] 

)ll 

lot assoc_add_sob 2 « provo_tbm 

( ' ASSOC_ADD_SUB2 ' , 

"! a b c . c <* a «»> ((a+b) - o = b + (a - c))", 

REPEAT QBN_TAC 

THEN SUBST_TAC [SPECL [ "a t num" » "b i num" ] ADD_SYM] 

THEN REWRITE_TAC [ASS0C_ADD_S0B1] 

);; 

lot ASSOC JDD_SUB3 = provo_thm 
( ' ASSOC JVDD_SUB3 ' , 

"! a b c . b <« c ==> ((a+b) - c = a - (c - b))"< 
PURE_ONCE_RBWRITE_TAC [LESS_OR_BQ] 

THEN REPEAT STRIP.TAC 
THBNL [ 

IMP_RES_TAC LESS_ADD_1 
THEN ASM_RBWRITE_TAC [ ] 

THEN SOBST_TAC [SPECL [ "a+b" ; "b t aum" j "p+l"J SUB_PLDS] 

THEN AS SUME_TAC (SPEC "b t num" LESS_EQ_REPL) 

THEN IMP_RES_TAC (SPECL [ "a : num" 1 "b t num" ; "b : num" ] ASS0C_ADD_SDB1) 
THEN SOBST_TAC [SPECL [ "b I num" > "p+1" ] ADD_SYM] 

THEN IMP_RBS_TAC (SPECL [ "p+1" j "b t num" ; "b t num" ] ASS0C_ADD_SUB1 ) 
THEN ASM_REWRITB_TAC [SDB_EQUAL_0; ADD_CLAOSES] 

; 

ASSOME_TAC (SPEC "C t num" LESS_EQ_REFL) 

THEN IMP_RES_TAC (SPECL ["at num" ; "c : num" ; "c t num" ] ASS0C_ADD_SDB1 ) 
THEN ASM_RBWRITE_TAC [SUB_EQUAL_0; ADD_C LAU SB S ; SUB_0] 

] 

) ;; 

lot ASSOC_ADD_SUB4 = provo_thm 
( 'ASS0C_ADD_SUB4 ' , 

" ! a b c . a <= c ==> ((a +b) -c=b- (c- a))", 

REPEAT QEN_TAC 

THEN SOBST_TAC [SPECL ["atnum") "btnum"] ADD_SYM) 

THEN REWRITE_TAC [ASS0C_ADD_SUB3 ] 

);> 
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let ASSOC_SUB _ADD1 = prove_thm 
( 'ASSOC_StJB_ADDl ' , 

"I a b c . b <« a /\ b <= c ==> ( (a - b) + c = a + (c - b))", 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC ( SYM_RULB (SPECL ["e t num"; "at num"; "b: num"] ASS0C_ADD_SUB2 ) ) 
THEN ASM_REWRITE_TAC [ ] 

THEN IMP_RBS_TAC (SPECL ("C mum" ; "at num"; "btnum"] ASS0C_ADD_S0B1 ) 

THEN ONCB_ASM_REWRITE_TAC [ ] 

THEN SUBST_TAC [SPECL ["ctnum"; "a-b"] ADD_SYM] 

THEN REWRITB_TAC[] 

) 1 I 

let ASS0C_SUB_ADD2 = prove_thm 
( ' ASSOC_SOB_ADD2 ' , 

"1 a b c . ((a-b) + c = c + (a-b))", 

RBPBAT OBN_TAC 

THEN SOBST_TAC [SPECL [ "a-b" ; "c 1 num" ] ADD_SYM] 

THEN RBWRITB_TAC [ ] 

);> 

let ASS0C_SUB_ADD3 = prove_thm 
( 'ASS0C_SUB_ADD3 ' , 

"1 a b c . b <= a /\ c <«■ b =*> ((a-b) + c = a - (b - c))", 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC ( SYM_ROLE (SPECL [ "c : num" ; "a : num" ; "b : num" ] ASS0C_ADD_SUB4 ) ) 
THEN ASM_RBWRITE_TAC[) 

THEN XMP_RES_TAC (SPECL ["C snum"> "a»num"> "binum") ASS0C_ADD_SUB1) 

THEN ASM_REWRITE_TAC [SPECL ["C! num"; "a-b"] ADD_SYM) 

);» 

let ASS0C_SUB_ADD4 - prove_thm 
( ' ASS0C_SUB_ADD4 ' , 

"1 a b e . (a » b) ■*> ((a-b) + c ■ c - (b - a))", 

RBPBAT STRIP.TAC 

THEN ASM_RBWRI TE_TAC [ SDB_EQUAL_0 ; ADD_CLAUSBS» SUB_0] 

) II 

let ASS0C_SBB_SUB1 = prove_thm 
( ' ASS0C_SUB_S0B1 ' , 

"! a b c . (a - b) - c = a - (b + c)", 

RBWRITB_TAC [SUB_PLOS] 

)>; 

let ASS0C_SUB_SUB2 * prove_tbm 
( 'ASS0C_StJB_SUB2 ' , 

"1 a b c . (a-b) - c ■ a - (c + b)", 

RBPBAT OBN.TAC 

THEN SUBST_TAC [SPECL [ "e I num" j "b I num" ] ADD_SYM] 

THEN REWRITE_TAC [SUB_PLDS] 

)>> 

oloee_theory ( ) ; ; 


%■ 


Filet cond.ml 

Author: (c) D.A. Fura 1992 

Date t 30 Deceinber 1992 

Theorems involving conditionals t 

COND_TRUB_TRUB i |- "i a b c d. a => (a => b I c) I d » (a => b I d) " 
COND_TROB_FALSE t |- "! abed. a => ((-a) => b I c) I d = (a => c I d) " 
COND_FALSE_TRUE t |- "I a b c d. a => b I (a => c I d) = (a => b I c)" 
COND_FALSE_FALSB: I- "! a b c d. a -> b | (a -> c | d) - (a «> b I d) " 
COND_TRUB_CHOICBSt I- "la. (a «> T I T) = T" 

COND_FALSB_CHOICESt I- "la. (a => F IF) =F" 

COND_FIRST_CHOICEt I- "la be. (b => a | c = a) /\ ~(a = c) =»> b" 
COND_SECOND_CHOICEt I- "la be. (b ■> a I c - o) /\ -(a = c) =«> -b" 


18 



set_£lag ('timing', true);; 


system 'rm cond.th';; 

new_theory ' cond ' ; ; 

let SYM_RULE = 

(CONV_RDLB ( ONCE_DHPTH_CONV SYM_CONV) ) 

? failwith ' SYM_RULB ' ; ; 

let COND_TRUB_TRUB = prove_thm 
( ' COND_TRUE_TRUE ' , 

"1 (a tbool) (bed :*) . a => (a => b I e) I d = (a => b | d)", 

REPEAT QHN_TAC 

THEN BOOL_CASBS_TAC "a tbool" 

THEN RBWRITE_TAC [ ] 

);; 

let COND_TRUB_FALSE = prove_thm 
( ' COND_TRtJB_FALSB ' , 

"1 (a tbool) (bed t*) . a => ((-a) => b I c) I d = (a => c I d)", 

REPEAT QEN_TAC 

THEN BOOL_CASES_TAC "a tbool" 

THEN RBWRITB_TAC [ ] 

);; 

let COND_FALSB_TRUE » prove_thm 
( ' COND_FAIiSB_TRUB ' , 

"1 (a tbool) (b c d t*) . a => b | ((-a) => e I d) = (a => b I c)", 

REPEAT OBN_TAC 

THEN BOOL_CASBS_TAC "a tbool" 

THEN RBWRITB_TAC[] 

) 1 1 

let COND_FALSB_FALSE = prove_thm 
( ' COND_FALSE_FALSB ' , 

"1 (a tbool) (b e d t*) . a => b | (a => e I d) = (a => b | d) ", 

REPEAT OEN_TAC 

THEN BOOL_CASHS_TAC "a tbool" 

THEN REWRITE_TAC [ ] 

);; 

let COND_TRUB_CHOICES « prove_thm 
( ' COND_TRUE_CHOICBS ' , 

"! (a tbool) . a => T I T « T", 

REPEAT GHN_TAC 

THEN BOOL_CASES_TAC "a tbool" 

THEN RBWRXTB_TAC[] 

);; 

let COND_FALSE_CHOICES = prove_thm 
( 'COND_FALSB_CHOICES ' , 

"1 (a tbool) . a «> F I F = F", 

REPEAT OBN_TAC 

THEN BOOL_CASRS_TAC "a tbool" 

THEN RBWRITE_TAC [ ] 

);; 

let COND_FIRST_CHOICB = prove_thm 
( 'COND_FIRST_CHOICB ' , 

"I (a e t») (b tbool) . (b ■» a | c = a) /\ -(a = e) »=> b", 

REPEAT STRIP_TAC 

THEN DNDXSCH_TAC "(b tbool) «> (at*) | e = a" 

THEN ASM„CASES_TAC "b tbool" 

THBN POP _A3SUM_LXST 

(MAP_EVERY ( \thm. ASSUMB_TAC thm THBN ASSOME_TAC ( SYM_RULB thm) ) ) 
THBN ASM_RBWRITB_TAC H 
) ;; 



lot COND_SECOND_CHOICB = prova_thm 
( 'COND_SECOND_CHOICE ' , 

"1 (a c t*) (b (bool) . (b => a | c = c) /\ -(a = e) ==> ( — b ) " , 

REPEAT STRIP_TAC 

THEN UNDISCH_TAC "(btbool) => (at*) I c = c" 

THEN ASM_CASES_TAC "btbool" 

THEN ASM_RBWRITE_TAC [ ] 

THEN RES_TAC 

);; 

cloae_thaory ( ) ; j 


% 


File: lnaq.ml 

Author t (c) D.A. Fura 1992-93 

Data: 19 Fobruary 1993 

Theorems involving inequalities : 

NOT_EQ: I- "1 m n. - (m = n) * ( (m < n) \/ (n < m))" 
NOT_BQ_ZERO: |- "! n . -(n « 0) » (n > 0)" 
NOT_LBSS_BQ_LBSS [PL] I |- "Ian. (-(m o n) ) = (n < m)" 


LT_IMP_SOC_LB l 

1 ~ " 

m n 

m < n ««> SDC m <« 

n" 

SUC_LE_IMP_LT t 

J - " 

m n 

sac m <= n ==> m < 

n" 

LT_BQ_SUC_LB 1 
LT_IMP_LB_PRB t 

1- “\ 
| - " 

m n. 
m n 

m < n «= SOC m <= n" 
m < n ■=*> m <= PRE 

n" 

LE_PRE_IMP_LT ! 

1 - " 

m n 

Ion **> (m <■= PRE n «=> m < n) " 

LT_BQ_LE_PRE ( 

1- "! 

m n. 

Ion »> (m <= pre n =»> m < n) " 

LT_EQ_LE_PRB t 

|- " ! 

m n. 

1 o n ==> (m < n = 

m o PRE n) " 

LB_IMP_LT_SOC i 

1 “ " 

m n 

m o n »«> m < SOC 

n" 

LT_SDC_IMP_LB : 

1- " 

m n 

m < SOC n ==> m <= 

n" 

LB_BQ_LT_3UC i 
LE_1MP_PRB_LT: 

I- "\ 

1 - " 

ro n. 
m n 

m <«■ n = m < SUC n" 
1 o m ==> (m <= n 

==> PRE ro < n)" 

PRB_LT_IMP_LE i 

\ ~ " 

m n 

PRE m < n as> m <» 

n" 

LT_IMP_LB t | - 
Sac_LE_XMP_LE : 

"! m 
1- " 

a. m 
m n 

n ■=> (m <= n) " 

(m +1) <= n ==> (m <= n)" 


&ESS_BQ_ZBRO [PJW] t I- "l n. <n <= 0) * (n = 0)" 
ONE_LESS_EQ t |- "! n. (1 <= n) = (n > 0)" 
LESS_THAN_ONE t |- "I n . n < 1 » (n » 0)" 


LESS_EQ_M0N0_30B ! |- 

lkss_eq_mono_sob_eq t 

« 

iro n p. 

(m 

<* 

n) 

e«> 

( (ro 

- p) <= (n - p) ) 

a 




1 - "1 ro n p . (p 

< 

= m) /\ 

(P 

<S 

n) 

==> 

( (ro 

- p) <= (n - p) 

- 

m < 

= n)' 

f 

LESS_EQ_ADD_SaBl l |- 

U 

1 n p . 

(n 

<B 

P) 

**> 

tro. 

([(men) <« p) 

- 

(m 

<= P 

- n))" 

LESS_BQ_ADD_S0B2 t | - 

u 

l ro p . 

(m 

<* 

P) 

cae> 

tn. 

( < (ro + n) <= p) 

as 

(n 

<B P 

- ro))" 

LBSS_BQ_SUB_ADDlt |- 

u 

Iron. 

(n 

< = 

m) 

B»> 

ip. 

( (m - n) <= p = 

m 

<= 

(n + 

P))" 

LESS_EQ_S0B_ADD2 : 1 - 

« 

Iron. 

(n 

< = 

m) 

sae> 

!p. 

( (m - n) <= p = 

m 

<* 

(P + 

n) )" 


LESS_LBSS_EQ_TRANS [WP] : |- "! m n p . (m < n) /\ (n <= p) ==> (m < p)" 
LESS_KQ_LBSS_TRANS [WP] : |- "1 m n p . (m o n) A <n < p) ==> (m < p)" 

LESS_EQ_3_CASBS t I - "n o 3 = ( ( (n = 0) \/ (n = 1) ) \/ (n = 2) ) \/ (n = 3)'' 
LESS_EQ_15_CASES t 
I- "n o 15 * 

((((((((((((If (n = 0) \/ (n = 1)) \/ (n = 2)) \/ (n = 3)) \/ (n = 4)) \/ 
(n = 5)) \/ (n = 6)) \/ (n = 7)) \/ (n = 8)) \/ (n = 9)) \/ (n = 10)) \/ 
(n « 11)) \/ (n = 12)) \/ (n = 13)) \/ (n = 14)) \/ (n * 15) 


[PL] = (c) Paul Loawenstein 
[WP] b (c) win Ploegarts 
[PJW] « (c) Phil Windley. 



set_flag ('timing', true);; 


system 'rm ineq.th';; 
new_theory ' ineq ' ; > 
load_library 'reduce';; 


let SYM_RULB = 

(CONV_ROLB (ONCE_DEPTH_CONV SYM_CONV) ) 

? failwith ' SYM_RULB ' ; ; 

let LIMP = ( \thm. GEN_ALL (fat <BQ_IMP_RULE (SPBC_ALL thm ))));; 


let NOT_BQ = prove_thm 
( ' NOT_BQ ' , 

"! (m n tnum) . ~(m = n) = ( (m < n) \/ (n < m))", 

INDOCT_TAC 
THEN INDUCT_TAC 
THEN RBDUCE_TAC 

THEN ASM_RBWRITB_TAC (LESS_0 ; SYM_RULK NOT_SUC ; SYM_RULB SUC_NOT ; LESS_MONO_EQ ; 
ADD1 ; BQ_MONO_ADD_EQ ] 


)n 


let NOT_EQ_ZERO = prove_thm 
( ’ NOT_EQ_ZERO ' , 

"I (n mum) . ~(n = 0) = (n > 0)", 

INDUCT_TAC 

THEN RBDUCB_TAC 

THEN REWRITE_TAC [NOT_SDC ; GREATER; LBSS_0 ] 

)ll 

% [PJW] % 

let LESS_EQ_ZBRO « prove_thm 
( ' LBSS_BO_ZBRO ' , 

"1 (n mum) . (n <a 0) = (n = 0)", 

RKWRITE_TAC [GRBATBR_OR_EQ ; LBSS_OR_KQ; NOT_LESS_0) 
);; 

let ONE_LESS_BQ = prove_thm 
( ' ONB_LBSS_BQ ' , 

"1 (n mum) . (i <=* n) = (n > 0)", 

REWRITE_TAC [GREATER; LBSS_EQ; SYM (num_CONV "1")] 

);; 


%<Ph>% 

let NOT_LBSS_BQ_LBSS = prove_thm 
( 'NOT_LESS_BQ_LESS ' , 

" !m n. (-(m <= n) ) = (n < m) ", 
RBWRITB_TAC [SYM (SPEC_ALL NOT_LBSS) ] 
);; 


let LT_IMP_SUC_LB = prova_thm 
( ' LT_IMP_SOC_LB ' , 

"1 m n mum. m < n «:«> StJC m <= n", ACCEPT_TAC LESS_OR );; 


let SUC_LB_IMP_LT * prove_thm 
( 'SOC_LE_IMP_LT' , 

" ! m n mum. SUC m <« n ==> m < n", ACCEPT_TAC OR_LESS );; 


let LT_EQ_SUC_LB = prove_thm 
( ' LT_BQ_SaC_LE ' , 

"1 m n mum. m < n = SDC m <= n", ACCEPT_TAC LESS_EQ );; 

let LT_IMP_LB_FRE = prove_thm 
( ' LT_IMP_LB_PRB ' , 

"1 m n mum. m < n ==> m <= PRE n", 

RBWRI TB_TAC [PRE_SUB1] 

THEN REPEAT GBN_TAC 

THEN ACCBPT_TAC (SPBCL ["n mum"; "mtnum"] SUB_LESS_OR) 

);> 
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t 


let LB_PRB_IMP_LT = prove_thm 
( ' LE_PRB_XMP_LT ' , 

" ! m n mum. 1 <- n ==> (m < = PEE a ==> m < a)", 

REWRITB_TAC 

[PRE_SUB1»SYM_R0LB (SPBCL ["mmum"; "n-1"; "1"] LESS_EQ_MONO_ADD_EQ ) ] 
THEN REPEAT GEN_TAC 
THEN DISCH_TAC 

THEN IMP_RES_TAC (SPBCL ["nmum"7"l"l SUB_ADD) 

THEN ASM_RBWRITB_TAC[REWRITE_RDLE [ADD1] SUC_LE_IMP_LT] 

) 7 7 

let LT_EQ_LE_PRE = prove_thm 
( ' LT_EQ_LE_PRE ' , 

"I m a mum. 1 <» a ==> (m < a = m <= PRE a)", 

REPEAT OBN_TAC 
THEN DISCH_TAC 
THEN BQ_TAC 
THENL [ 

ACCBPT_TAC (SPEC_ALL LT_IMP_LE_PRE ) 

7 

IMP_RES_TAC LE_PRE_IMP_LT 
THEN ASM_REWRITE_TAC [ ] 

] 

);; 

let LE_IMP_LT_SUC = prove_thm 
( ' LE_XMP_LT_SUC ' , 

"1 m a mum. m <■ a ==> m < SDC a", 

ACCBPT_TAC LBSS_EQ_IMP_LESS_SUC 

);; 

let LT_SUC_IMP_LE * prove_thm 
( ' LT_SOC_IMP_LE ' , 

"1 m a mum. m < SDC a »*» m <* a", 

RBWRITE_TAC [ADD1 7 LBSS_OR_EQ ] 

THEN REPEAT STRXP.TAC 

THEN ASM_CASBS_TAC "mmum = a" 

THEN ASM_REWRXTE_TAC [ ] 

THEN IMP_RB S_TAC (LIMP NOT_EQ) 

THEN POP_ASSDM_LXST ( MAP _E VERY (\thm. STRXP.ASSUME.TAC thm) ) 

THEN IMP_RES_TAC ( RBWRITB_RDLE [AUDI] LT_IMP_SUC_LB ) 

THEN IMP_RBS_TAC LESS_BQ_ANTISYM 
) 7 7 

let LE_EQ_LT_SDC » prove_thm 
('LB_EQ_LT_SDC', 

"1 m a mum. m <= a = m < sue a", 

REPEAT GBN_TAC 
THEN BQ_TAC 
THENL [ 

ACCBPT_TAC (SPBCL ["mmum"7 "aiaum"] LE_IMP_LT_SUC ) 

7 

ACCEPT_TAC (SPEC_ALL LT_SDC_IMP_LB) 

] 

) 7 7 

let LBSS_THAN_ONE > prove.tbm 
( ' LESS_THAN_ONE ' , 

"I (a taum) . a < 1 = (a = 0)", 

REWRI TE_TAC [SYM (SPEC "at Bum" LESS_BQ_ZERO ) ] 

THEN ASSOME_TAC (REWRITE JRULE [] (RBDUCE.CONV "1<=1") ) 

THEN XMP_RES_TAC 

(RBWRITE_RDLB [PRE_SUB1] (SPBCL ["amum"7"l"] LT_EQ_LE_PRE) ) 
THEN ASM_REWRITE_TAC [ REDDCE_CONV "1-1"] 

) 7 7 

let LB_IMP_PRE_LT * prove_thm 
( ' LE_IMP_PRE_LT ' , 

"I m a taum. 1 <= m »=> (m <» a =-> PRE m < a)", 

REWRXTE_TAC [PRE_SDB1] 

THEN REPEAT STRIP.TAC 
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THEN IMP_RBS_TAC ( REWRITE_RULE [ADD1] LB_IMP_LT_SOC ) 

THEN RBWRXTB_TAC [SYM_RULB (SPECL "mnum"; "1"] LBSS_MONO_ADD_EQ) ] 

THEN IMP_RBS_TAC SUB_ADD 
THEN ASM_REWRITE_TAC [ ] 

);> 

lot PRB_LT_IMP_LB = provo_thm 
( ' PRB_LT_IMP_LB ' , 

"I m n mum. PRE m < n ==> m <= n", 

REPEAT <3BN_TAC 

THEN ASM_CASES_TAC "1 <= m" 

THEN REWRITE_TAC 

[PRE_SOBl»SYK_RDLE (SPEC! ["m-1"; "nmum"; "1"] LBSS_MONO_ADD_BQ) ] 
THEN IMP_RBS_TAC SUB_ADD 

THEN ASM_RBWRITB_TAC [REWRITB_RULB [ADD1] LE_EQ_LT_SUC ] 

THEN XMP_RES_TAC NOT_IiBSS_EQ_LESS 
THEN IMP_RBS_TAC LESS_THAN_ONE 
THEN ASSUMB_TAC 
(SYM_RULB 

(RBWRITB_RULB [ADD1] (SPBCL ["0"; "n:mun"] LE_EQ_LT_SUC ) ) ) 

THEN ASM_REWRITE_TAC [ZERO_LESS_EQ] 

)>; 

let LT_IMP_LE = provo_thro 
( ' LT_XMP_LB ' , 

"1 (m n mum) . m < n (m <= n)", 

RBWRI TE_TAC [IiESS_OR_BQ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let SUC_LE_IMP_LB = prove_thm 
( ' SUC_LB_IMP_LE ' , 

"1 (m n mum) . (m + 1) <= n «=> (m <■= n)", 

REPEAT STRIP_TAC 

THEN ASSOMB_TAC (SPBCL ["mmum";"l"] LBSS_BQ_ADD ) 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 

)>; 

let lemmal = TAC_PR00F 
( ( [ ] , " 1 m el p i num . 

(m <» n) ==> (-m < p) (~n < p)"), 

RBMRITB_TAC [NOT_LESS] 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPBCL [ "pi num" >"mmum"; "ninum"] LESS_EQ_TRANS ) 

);; 

let LESS EQ mono SOB = prove_thm 
( ' LBSS_BQ_MONO_SDB ' , 

" !m n p. (m <» n) ==> ( (m - p) <= (n - p))", 

INDOCT_TAC 

THEN INBUCT_TAC 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [SUB_0j ZERO_LBSS_BQ] 

THENL [ 

UNDISCH_TAC " (SUC m) <= 0" 

THEN ASM_REWRITE_TAC [LESS_EQ_ZERO] 

THEN DISCH_TAC 

THEN ASM_RBWRITE_TAC[] 

THEN ASM_REWRXTE_TAC [SUB] 

) 

ASM_REWRITB_TAC [SUB] 

THEN COND_CASES_TAC 
THENL [ 

RBWRITB_TAC [ZBRO_LBSS_EQ] 

; 

ASSUME_TAC (SPECL ["mmum"; "nmum"] LESS_EQ_MONO) 

THEN ASSUME_TAC (SPECL ["m-p"; "n-p"] LESS_EQ_MONO ) 

THEN RES.TAC 
THEN RBS.TAC 

THEN 1MP_RES_TAC (SPECL ["m: num"; "nmum"; "pi num"] lemmal) 

THEN ASM_RBWRITB_TAC [ ] 
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] 


r 


] 

);; 

lot LBSS_BQ_MONO_SUB_BQ « provo_thm 
( ' LKSS_BQ_MONO_SUB__KQ ' , 

"! m n p mum . 

(p o m) /\ (p o n) =»> ( (m - p) < - (n - p) » m o n)", 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPBCL t "n : num" ; "p I num" ] SDB_ADD) 

THEN IMP_RES_TAC (SPBCL ["mi num"; "pi num"] SUB_ADD) 

THEN ASM_RBWRITB_TAC 

[SPBCL [ "m-p" ; "n-p" ; "p I num" ] (SYM_RULE LBSS_BQ_MONO_ADD_EQ) ] 

);; 

lot LESS_EQ_ADD_SUB1 = provo_thm 
( ' LBSS_EQ_ADD_S0B1 ' , 

"! n p mum . (n o p) »=> lmmum. ( ( (m + n) op) = (mop- n)>", 
REPEAT STRIP_TAC 

THEN PURB_RBWRITE_TAC [SPBCL [ "m mum" ; "p mum - n mum" j "n mum" ] 

(SYM_RULE LBSS_BQ_MONO_ADE_EQ) J 
THEN IMP_RBS_TAC (SPBCL [ "n 1 num" ) "p : num" ] SUB_ADD) 

THEN ASM_REWRITE_TAC [ ] 

);; 

lot LESS_BQ_ADD_SDB2 « provo_thm 
( ' LESS_BQ_ADD_SDB2 ' , 

"I m p mum . (m < = p) ==> Inmum. ( ( (m + n) op) = (nop- m))", 

REPEAT STRIP_TAC 

THEN PORE_REWRITE_TAC [SPBCL [ "n i num" ; "p mum - m mum" ; "mi num"] 

( SYM_RULB LESS_BQ_MONO_ADD_BQ) ] 

THEN SOBST_TAC [SPBCL ["nmum") "mmum"] ADD_SYM] 

THEN IHP_RES_TAC (SPBCL ("p mum"; "mi num"] SUB_ADD) 

THEN ASM_REWRITB_TAC [ ] 

) >; 

lot LESS_EQ_StJB_ADDl m provo_thm 
( ' LESS_EQ_SUB_ADD1 ' , 

"! m n mum . (n o m) «■> ipmum. ( (m - n) o p * m <= (n + p))", 

REPEAT STRIP_TAC 

THEN SOBST_TAC [SYM (SPBCL ["m-n";"ptnum"; "ntnum"] LBSS_EQ_MONO_ADD_BQ) ] 
THEN SUBST_TAC [(SPBCL [ "p i num" ; "n i num" ] ADD_SYM) ] 

THEN XMP_RB S_TAC (SPBCL ("mi num"; "ntnum"] SUB_AED ) 

THEN ASM_RBNRITB_TAC [ ] 

);; 

lot LBSS_BQ_S0B_ADD2 » provo_thm 
( ' LBSS_BQ_SUB_ADD2 ' , 

"1 m n mum . (n o m) ==> Ipmum. ( (m - n) <= p = m <= (p + n))", 

REPEAT STRIP_TAC 

THEN SUBST_TAC [SYM (SPBCL [ "m-n" ; "p 1 num" ; "n t num" ] LESS_BQ_MONO_ADD_BQ) ] 
THEN IMP_RBS_TAC (SPBCL ["mmum"; "ni num"] SUB_ADD) 

THEN ASM_REWRITB_TAC [ ] 

);; 

%WP 4-9-90% 

lot LESS_LESS_BQ_TRANS = provo_thm 
( ' LESS_LESS_BQ_TRANS ' , 

"! m n p . (m < n) /\ (n o p) ==> (m < p)", 

RBWR1TE_TAC [LBSS_OR_EQ] THEN 
REPEAT STRIP_TAC THEN 
IMP_RES_TAC LBSS_TRANS THEN 
ASM_REWRITE_TAC [] THEN 

FIRST _ASSUM \thm . (SDBST_TAC [SYM tbm] 7 N0_TAC) THEN 
FIRST_ASSUM ACCBPT_TAC 
);; 

%WP 4-9-90% 

lot LESS_BQ_LESS_TRANS = prove_thm 
( ' LBSS_BQ_LBSS_TRANS ' , 

"! m n p . (m o n) /\ (n < p) ==> (m < p)", 

RBWRITB_TAC [LBSS_0R_BQ] THEN 
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REPEAT STRIP_TAC THEN 
IMP_RES_TAC LESS_TRANS THEN 
ASM_RBWRITE_TAC [3 THEN 

FIRST_ASSOM \thm . (SUBST_TAC [SYM thm] ? NO_TAC) THEN 
FIRST_ASSUM ACCEPT_TAC 
)ll 

letrec LESS_CASES_NCONV i_tm = 

let tm = m)c_conet ( (atring_of_int i_tm) , " i num" ) in 
if i_tm = 1 then SPEC "ntnum" LBSS_THAN_ONE 

alee 

RBWRITE_RULE 

[ LESS_CASES_NCONV (i_tm -1)3 
(RBWRITE_RCLB 

[SPECL ["ninum" jmk_conat ( (atring_of_int (i_tm - l)),"inum")3 LESS_OR_EQ] 

( RBWRITB_RULE 

[REWRITB_RULE [] (RBDDCE_CONV (liat_mk_comb [tmj "1"] ))) 3 

(SDBS_OCCS 

[([ 2 ], 

(HP 

(REWRITE_ROLE [0NB_LBSS_BQ;PRE_SUB1] 

(SPECL ["nmum";tm] LT_BQ_LB_PRE ) ) 

(RHWRITE_RULB (3 (REDUCB_CONV (liat_mk_comb ("$>", [tm>"0"3 ))))))] 
(REFL (liat_mk_comb ("$<", ["ni num" ; tm] )))))) j > 

let LBSS_BQ_CASBS_CONV tm « 

let i_tm = int_of_atring (fat (daat_conat tm) ) in 
if i_tm a 0 then SPEC "n i num" LBSS_EQ_ZBRO 

elae 

REWRITB_RULE 

[LBSS_CASES_NCONV i_tm] 

( SPECL [ "n i num" ; tm) LBSS_OR_EQ ) ; ; 

let LBSS_EQ_1_CASBS » a«ve_thm 
( ' LBSS_BQ_1_CASBS ' , 

LBSS_BQ_CASBS_CONV "1" 

) ;; 

let LESS BO 3 CASES = aave_thm 
( ' LESS_EQ_3_CASES ' , 

LESS_EQ_CA3ES_CONV "3" 

) II 

let LBSS_BQ_15_CASBS = aave_thm 
( ' LRSS_BQ_15_CASBS ' , 

LBSS_BQ_CASBS_CONV "15" 

)»; 

cloae_theory ( ) ; ; 
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3 Design Verification 


This section contains the HOL listings for the PIU design verification — clock level with respect to gate 
level. The five subsections of this section describe the P-Port, M-Port, R-Port, C-Port, and SU-Cont, respec- 
tively. 


3.1 P-Port Clock-Level Verification 

The theory pclock_ver and file pcjhms.ml contain the P-Port clock-level correctness proof. 


File: pclock_ver.ini 

Author: (e) D.A. Fura 1992-93 

Date: 1 March 1993 


■% 


set_flag ('timing', true);; 

set_search_path (search_path( ) ® [ ' /home/elvis6/dfura/£tep/piu/hol/pport/ ' ; 

' /home/elvis6/d£ura/ftep/piu/hol/lib/ ' ; 

' /home/elvis6/dfura/hol/ml/ ' ; 

' /home/elvis6/d£ura/hol/Library/abs_theory/ ' ; 
' /home /elvis6/d£ura/hol/Library/ time/ ' ; 

' /home/elvis6/dfura/hol/Library/QI/ ' ; 

' /home /elvie 6 /d£ura/hol /Library /tools/ ' 

]);; 

system 'rm pclock_ver .th' ; ; 
new_theory 'pclock_ver' ; ; 
loadf ' aux_def s';; 
load_library ' reduce ' ; ; 
map new_parent 

[ 'gates_defl' ; ' latches_de£ ' ; 'ffs_def ' ; ' counters_de£ ' ; 'ineq' ] ; ; 

map load_parent [ 'pcloek_def ' ; 'pblock_de£ ' ; 'paux_de£ ' ; 'piuaux_de£ ' ; 'busn_def ' ; 

'buses_de£' ; 'array_def ' ; 'wordn_def ' ; 'assoc'; 'cond'] ; ; 

let PC_OF_EXP = theorem 'pclock_de£' ' PC_OF_KXP ' ; ; 
let PC_NSF_EXP = theorem 'pclock_def' ' PC_NSF_EXP ' ; ; 

loadt ' pc_thms . ml ' ; ; 

let P_Clock_Correct = prove_thm 
( 'P_Clock_Correct ' , 

"! (t :time) (s : time->pc_state) (e : time->pe_env) (p :time->pc_out) . 
PBlock_QATE s e p 

= a> 

PCSet_Correct s e p", 

REPEAT STRIP_TAC 

THEN RBWRITE_TAC [PCSet_Correct] 

THEN INDUCT_THEN (prove_induction_thm PCI) ASSDMEJTAC 
THEN OEN_TAC 

THEN RBWRITB_TAC [PC_Correct;PC_Exec;PC_PreC;PC_PostC) 

THEN CONJ_TAC 
THBNL [ 

% Subgoal 1: “s(t + 1) = PC_NSF(s t) (e t)" % 
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SUBST_TAC [SPEC "(» (t+1) ) :pc_atate" Stata_Selectors_Work] 

THEN IMP_RBS_TAC ( SYM_RULE P_addrS_THM) 

THEM IMP_RES_TAC (S™_RULB P_deBtlS_THM) 

THEN IMP_RBS_TAC ( SYM_RULE P_be_S_THM) 

THEN IMP_HES_TAC (SYM_RULB P_wrS_THM) 

THEN IMP_RBS_TAC { SYM_RULB P_f am_stateS_THM) 

THEN IMP_RBS_TAC (STM_RULE P_£sm_r8tS_THM) 

THEN IMP_RES_TAC ( SYM_RULE P_f am_mrqtS_THM) 

THEN IMP_RBS_TAC ( SYM_RULE P_f sm_sackS_THM) 

THEN IMP_RBS_TAC ( SYM_RULB P_f am_cgnt_S_THM) 

THEN IMP_RBS_TAC (SYM_ROLB P_f am_c rqt_S_THM ) 

THEN XMP_RES_TAC (SYM_RULR P_f sm_hold_S_THM) 

THEN IMP_RBS_TAC (SYM_RULE P_f sm_lock_S_THM) 

THEN IMP_RHS_TAC ( SYM_RULE P_rqtS_THM) 

THEN IMP_RES_TAC ( SYM_RULE P_aizeS_THM) 

THEN IMP_RBS_TAC (SYM_RULE P_loadS_THM) 

THEN IMP_RES_TAC (SYM_RULE P_downS_THM) 

THEN IMP_RES_TAC ( SYM_RULB P_lock_S_THM) 

THEN IMP_RBS_TAC ( SYM_RULE P_lock_inh_S_THM) 

THEN IMP_RES_TAC ( SYM_RDLE P_male_S_THM) 

THEN IMP_RES_TAC (s™_RULE P_rale_S_THM) 

THEN ASM_REWRITE_TAC 

[SPEC "PC_NSF { (a :time->pc_atata) t) ( (a : time->pc_env! t)" 
(SYM_RtJLE State_Selectora_Work) ] 

; 

% Subgoal 2 t "p t * PC_OF (a t ) ( a t ) " % 

SUBST_TAC [SPEC " ( (pi tirae->pc_out ) t)" Out_Selectora_Work] 

THEN IMP_RES_TAC (SYM_ROLE L_ad_OUt0_THM) 

THEN IMP_RES_TAC (SYM_RCLB L_raady_0_THM) 

THEN XMP_RES_TAC (SYM_RDLE I_ad_outO_THM) 

THEN IMP_RES_TAC ( SYMJRULE I_ba_0_THM) 

THEN IMP_RES_TAC ( S YM_RULE I_rala_0_THM) 

THEN IMP_RBS_TAC ( SYM_RDLE I_mala_0_THM ) 

THEN IMP_RES_TAC ( STM_RULE I_erqt_0_THM) 

THEN IMP_RBS_TAC (SYM_RULB I_cala_0_THM) 

THEN IMP_RES_TAC ( SYM_RULE I_mrdy_0_THM) 

THEN IMP_RES_TAC ( S YM_RDLE I_laat_0_THM) 

THEN IMP_RBS_TAC ( SYM_RULE I_hlda_0_THM) 

THEN IMP_RES_TAC (SYM_RDXiB I_lock_0_THM) 

THEN ASM_RBWRI TB_TAC 

[SPEC "PC_OF ( (8!tirae->pc_state) t) ( (e:time->-pc_env) t)" 
(SYM_RULE Out_Selactora_Work) ] 

] 

) ;; 

cloae_theory( ) ; ; 


Fila: pc_.thma.nil 

Author: (c) D.A. Fura 1992-93 

Date: 1 March 1993 

% 

let P_addrS_THM a TAC_PROOF 

<<[], 

"! (t ttime) (a :time->pc_atate) (a :time->pc_env) (p : tima->pc_out) . 

PBlock_QATB a a p 
==> 

( P_addrS (PC_NSF (a t) (at)) = P_addrS (a (t+1)))"), 

REWRITB_TAC [P_addrS;PBlock_EXP; (BXPAND_LST_RULE PC_NSF_EXP)] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ;; 

let P_daatlS_THM = TAC_PROOF 

<<[], 

"1 (t ttime) (a :time->pc_atata) (a :time->pc_env) (p :time->-pc_out) . 
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PBlock_OATE a e p 
*»> 

(P_destlS <PC_NSF (a t) (a t } ) = P_destlS (s (t+1)))"), 
REWRITB_TAC [P_destlS/PBlock_BXP> (EXPAND_LBT_RDLE PC_NSF_BXP) ] 

THRU REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

) ; j 

let P_b e_S_THM = TAC_PROOP 

(([], 

"1 (t i tlma) (a 1 1 ime- >pc_atat« ) (a t time->pc_env) (p itime->pc 20 ut) 
PBlock_QATE sap 

( P_be_S (PC_NSF (a t) (at)) = P_be_S (s (t+1)))"), 

REWRITE_TAC [P_be_S;PBlock_BXPj < BXPAND_LET_RULE PC_NSF_EXP)] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC[] 

) II 

lat P_wrS_THM = TAC_PROOF 

( 111 , 

"1 (t itlma) (s itima->pc_atata) (a itime->pc_env) (p i time->po_out) 
PBlock_GATE sap 
==> 

(P_wrs (PC_NSF (s t) (at)) = P_wrS (s (t+1)))"), 

RBWRITE_TAC [ P wrS ; PBlock_BXP J ( EXPAND_LBT_RULE PC_NSF_EXP)] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRXTB_TAC [) 

)/; 

let P_f sm_8 1 at eS_THM - TAC_PROOF 

(([], 

"I (t ttime) (a itime->pc_etate) (a ttime->pe_env) (p t time->pc_out) 
PBlock_OATE sap 
mm> 

(P_«sm_8tataS (PC_NSF (a t) (at)) - P_fsnustataS ( s (t+1)))"), 
RBWRITB_TAC [P_f anu*tataS j PBlockJBXP; (EXPAND_LET_RBLB PC_NSFJBXP) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

) II 

lat P_f sm_ratS_THM > TAC_PROOF 

(([], 

"1 (t itlma) (s itime->pc_state) (a t time->pc_env) (p itime->pc_out) 
PBlock_OATE sap 

(P_f8iA_r8tS (PC_NSF (b t) (at)) * P_fsm_rstS (s (t+1)))"), 
RBWRITB_TAC [P_£ anuratS ) PBlock_KXP , ( EXP AND_LE T_RULB PC_NSF_BXP)J 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) J J 

let P_f sm_mrqtS_THM = TAC_PROOF 

(([J, 

"1 (t itlma) (s i time->pc_state) (a ttime->pc_env) (p itlme->pc_out) 
PBlook_OATE a a p 
=»> 

(P_fsnumrqtS (PC_NSF (s t) (at)) = P_f sm_rarqtS (s (t+1)))"), 
RBWRITE_TAC [P_f sm_mrqtS ; PBlock_BXP ) ( BXPAND_LBT_RULE PC_NSF_EXP ) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

)lt 

lat P_£sm_aackS_THM = TAC_PROOF 

(((]. 

"1 (t ttime) (s t time->pc_state) (a i time->pc_env) (p :time->po_out) 
PBlock_OATE sap 

(P_£sm_BaokS (PC_NSF (s t) (at)) = P_£sin_9ackS (s (t+1)))"), 
RZWRITB_TAC (P_tsm_8ackS ) PBlook_EXP J ( EXP AND_LBT_RULB PC_NSF_BXP) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC ( ] 
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);; 

lot P_f am_cgnt_S_THM = TAC_PROOF 

(([J, 

"! (t itime) (a itimo->pc_stato) (a ttime->pc_env) (p itime->pc_out) 
PBlock_GATE sop 

(P_£sm_ognt_S (PC_NSF (a t) (o t)) = P_f am_cgnt_S (a (t+1)))"), 
REWRITB_TAC [ P_f am_cgnt_S ; PBlock_EXP J ( EXPAND_LBT_RULE PC_NSF_EXP) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

);; 

lot p_£ am_crqt_s_THM = tac_proof 

(([], 

"! (t itlmo) (a i time->pc_8tato) (o itime->pc_env) (p itime->pc_out) 
PBlock_OATE a a p 

(P_fam_crqt_S (PC_NSF (8 t) (at)) = P_f am_crqt_S (a (t+1)))"), 
REWRITB_TAC [ P_f am_crqt_S j PBlock_EXP ; ( BXPAND_LET_RULE PC_NSF_EXP)] 
THEN REPEAT STRIP_TAC 
THEN ASM_HBWRITB_TAC[] 

);; 

lot P_f am_hold_S_THM = TAC_PROOF 

(([), 

"1 (t itlma) (a itima->pc_atata) (a :time->pc_onv) (p : time->pc_out) 
PBlock_GATE a a p 

(P_f am_hold_S (PC_NSF (a t) (at)) ■ P_£am_hold_S (a (t+1)))"), 
REWRITE_TAC [ P_f asv_hold_S ; PBlock_BXP ; ( EXPAND_LBT_RULE PC„NSF_EXP)] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);> 

lot P_£anv_lock_S_THM « TAC_PROOF 

(((], 

"1 (t itime) (a itime->pc_atato) (a itimo->pc_onv) (p : time->po_out) 
PBlook_GATE a a p 

(P_f am_lock_s (PC_NSF (a t) (at)) = P_f am_lock_S (a (t+1)))"), 
REMRITE_TAC [P_£am_lock_S»PBlock_EXP; (EXPAND_LET_RULE PC_NSF_EXP) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC[] 

) ;; 

lot P_rqtS_THM = TAC_PROOF 

(([], 

"! (t itime) (a i time->po_atate) (a itimo->po_anv) (p itime->pe_out) 
PBlock_GATB a a p 
=*> 

(P_rqtS ( PC_NSF (a t) (at)) = P_rqts (a (t+1)))"), 

RBWRITE_TAC [ P_rqtS > PBlock_EXP ; ( EXPAND_LET_ROLE PC_NSF_EXP) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)»; 

lot P_aizeS_THM = TAC_PROOF 

(([], 

"I (t itime) (a itima->pc_atata) (a itimo->pc_onv) (p itime->pc_out) 
PBlock_GATB a a p 

(P_aizeS (PC_NSF (a t) (at)) * P_aizeS (a (t+1)))"), 

REWRITE_TAC [P_aizeS j PBlock_EXP j (EXPAND_LBT_RDLE PC_NSF_EXP) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) II 

lot P_loadS_THM » TAC_PROOF 

(([], 

"l (t itime) (a i time->pc_atate) (a itima->pc_anv) (p itimo->po_out) 
PBlock_GATB a a p 
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as 

(P_loadS (PC_NSF (a t) (e t) ) = P_loadS (a (t+1)))"), 

RBWRITE_TAC [P_loadS; PBlock_EXP; ( EXPAND_LBT_RtJLE PC_NSF_EXP ) ] 

THEN REPEAT STRIP_TAC 
THEN ASH_REWRITE_TAC [ ] 

)ll 

lot P_downS_THM » TAC_PROOF 

(([], 

"1 (t itlme) (a itime->pc_atate) (e :time->pc_onv) (p : t imo - >pc_out ) . 
PBlock_QATE a e p 
■■> 

(P_downS (PC_NSF (a t) (e t) ) = P_downS (a (t+1)))"), 

RBWRI TE_TAC [ P_downS ; PBlook_EXP ; ( EXPAND_LET_ROLE PC_NSF_EXP) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRXTB_TAC [ ] 

)>> 

lot P_lock_S_THH = TAC_PROOF 

(( U, 

"1 (t ttlme) (a : time- >pc_s tat o) (e ttima->pc_anv) (p : t imo - >pc_out ) . 
PBlock_GATB a e p 

(P_lock_S <PC_NSF (a t) (e t) ) = P_lock_S (a (t+1)))"), 

REWRITE_TAC [P_lock_S;PBlock_EXP; (EXPAND_LET_RULE PC_NSF_EXP) ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITB_TAC [ ] 

)>» 

let 1 animal a TAC.PROOF 

(( [], 

"SUBARRAY 

(HALTER 

(HALTER 

(ALTER 

(ALTER 

(HALTER 

ARBN 

(31,28) 

( (~P_rqtS(a (titimo))) a> FST(L_bo_E(o t) ) I P_be_S(a t ) ) ) 

27 

( ( ~P_rqtS ( a t) ) a> FST(L_wrB(e t) ) I P_wrS(a t))) 

26 

F) 

(25,24) 

(SUBARRAY 

((-P_rqtS(a t)) => 

SUBARRAY (FST(L_ad_inE(e t) ) ) (25,0) I 
p_addrs (a t ) ) 

(1,0))) 

(23,0) 

(SUBARRAY 

((~P_rqtS(a t ) ) a> 

SUBARRAY (FST(L_ad_inE(e t) ) ) (25,0) I 
P_addrS (a t ) ) 

(25,2))) 

(23,22) 

SUBARRAY 

((-P_rqtS(a t) ) a> 

SUBARRAY (FST (L_ad_inE (o t)) ) (25,0) I 
P_addrS (a t) ) 

(25,24)"), 

CONV_TAC (ONCB_DEPTH_CONV FUN_EQ_CONV) 

THEN ASH_RENRXTE_TAC [ALTER_THH»MALTER_THHj SUBARRAY_THH] 

THEN OBN.TAC 

THEN ASSUHE_TAC (SPEC "n+22" ZBRO_LBSS_EQ) 

THEN ASSUME_TAC (SPEC "2" ZBRO_LBSS_BQ ) 

THEN IHP_RBS_TAC (SPECL ["n+22"» "0") "2") ASSOC_SUB_ADDl ) 

THEN ASH_REWRITE_TAC [ZERO_LESS_EQj COND_TRUE_TRUE » 

SYH (SPECL ["n+22"; "23"; "2"] LESS_EQ_HONO_ADD_BQ ) ; 
SPECL [ "n ! num" ; "2 2 " ; "2 " ] ASSOC_ADD_ADDl ] 
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THEN RBDUCB_TAC 

THEN ASM_RBWRITE_TAC [COND_TRUB_TRUB l 

SPBCL ["n mum" >"22"; "2"] ASS0C_ADD_ADD1] 

THEN RBmiCB_TAC 

THEN ASM_RBWRITB_TAC [COND_TRUB_TRUE ] 

)H 

lot P_loek_inh_S_THM a TAC_PROOP 

(([], 

"! (t itime) <s ttime->pc_atate) (o t tim#->pc_env) (p t time->pc_out) . 
PBlock_OATB sop 

( P_lock_inh_S (PC_NSF (at) (a t) ) = P_look_inh_S (a (t+1)))"), 
RBWRITB_TAC [P_lock_i&h_Sj PBlock_EXP> (BXPAND_LET_RULB PC_NSF_EXP) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ lemmal ] 

)}> 

lot P_malo_S_THM ■ TAC_PROOF 

<([], 

"! (t ttlmo) (a itime->pc_atate) (o t time->pc_env) (p ttime->pc_out) . 
PBlock_OATE a a p 
<==>■ 

(P_jmalo_S (PC_NSF (a t) (e t)) = P_malo_s (a (t+1)))"), 

REWRITB_TAC [P_male_S;PBlock_EXP J (EXPAND_LET_RULE PC_NSF_EXP) ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [lemmal] 

) 11 

lot P_rale_S_THM = TAC_PROOF 

((£], 

"1 (t ttlmo) (a itimo->po_stato) (o ttime->pc_env) (p s time->pc_out) . 
PBlock_OATE sop 
==> 

(P_ralo_S (PC_NSF (a t) (e t)) = P_ralo_s (a (t+1)))"), 

REWRITE_TAC [P_ralo_S ; PBlock_EXP J ( EXPAND_LET_RULE PC_NSF_EXP) ] 

THEN REPEAT STRXP_TAC 

THEN ASM_RBWRITB_TAC [ lemma 1] 

)lt 

lot L_ad_OUt0_THM = TAC_PROOF 

(([], 

"! (t itimo) (a :time->pc_state) (o ttime->pc_env) (p : time->pc_out) . 
PBlock_QATB a a p 
==> 

(L_ad_outO (PC_OF (a t) (at)) = L_ad_outO (p t))"), 

RBWRITB_TAC IL_ad_OUt0 > PBlock_BXP ; ( EXPAND_LBT_RULE PC_OF_EXP) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC t] 

);» 

lot L_ready_0_THM » TAC_PROOF 

(([), 

*1 (t ttlmo) (a :time->pc_state) (a t time->pc_env) (p ttime->pc_out) . 
PBlock_OATB a a p 

(L_roady_0 (PC_OF (a t) (e t ) ) = L_ready_0 (p t))"), 

RBWRI TBTAC [L_roady_0;PBlock_BXP; (EXPAND_LET_RULE PC_OF_EXP) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [] 

) 1 > 

lot lammal a TAC_PROOF 

((£], 

" (f sm_aatato t a ( (P_f annotates (a (t+1)) a PA), 

(P_£am_statoS (a (t+1)) ■= PA))) ==> 

(fsm_datato t a ( (P_£am_atatoS (a (t+1)) = PD), 

(P_£am_»tateS ( s (t+1)) » PD))) ==> 

(data_out_on t a ((FST(wr_out t) /\ FST(fam_dstate t)), 

(SND (wr_out t) /\ SND(fsm_detate t)))) ==> 

(ad_addr_out t « 

( (FST(fsm_astato t) => BUSN(FST(addr_out t) ) I Of£n) , 
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(SND(fsm_astate t) ■> BUSH ( SND ( addr_out t) ) I Of £n) ) ) ==> 
(ad_data_out t = 

( (FST(data_out_en t) => BOSN ( FST ( dat a_out t)) I Of fn) , 

( SND (data_out_an t) =» BOSN ( SND ( dat a_out t ) ) I Of fn) ) ) ==> 
(Bus2n_CF (31,0) (ad_data_out t) (ad_addr_out t) = T)"), 

RBWRITE_TAC [BXFAND_LBT_ROLB Bus2n_CF) ASeljBSel] 

THEN REPEAT STRXP_TAC 

THEN ASM_CASES_TAC "P_f Bnu»tateS (s (t + 1) ) = PD" 

THEN ASSOMB_TAC ( RBWRI TB_RU LB [] (REDUCE_CONV "0<=31") ) 

THEN IMP_RBS_TAC OFFnP_Offn 
THEN 1MP_RES_TAC OFFnP_BOSN 
THEN ASM_REWRI TE_TAC [ ] 

THENL [ 

ASM_CASES_TAC "FST ( (wr_out t timo->bool#bool ) t ) " 

I 

ASN_CASBS_TAC "SND ( (wr_out ! timo->bool#bool) t)" 

] 

THEN ASM_RBWRITE_TAC [ S YM_RULB (prove_con8tructors_distinct pf sm_ty_Axiom) ] 
)ll 

let NOT_PD x TAC_PROOF 

(<[], "1 (x tpfsnuty) . -(X = PD) =x> ((X = PA) \/ (X = PH))"), 

INDOCT_THEN (prove_induction_thm pf am_ty_Axiom) ASSUME_TAC 
THEN ASM_RBWRITE_TAC [ ] 

);> 

let I_ad_outO_THM « TAC_PROOF 

(([], 

"! (t ttime) (s : time->pc_8tate) (e ttlme->pc_env) (p !time->pc_out) . 
PBlock_OATE s e p 
xx> 

(l_ad_outO ( PC_OF (s t) (e t)) » X_ad_outO (p t))"), 

REWRITE_TAC [ I_ad_outO ) PBlock_BXP ; ( EXPAND_LET_RULE PC_OF_BXP) ] 

THEN REPEAT STRIP_TAC 

THEN POP_ASS0M_L!ST (MAP_EVERY ( STRIP_ASSUME_TAC o SPBC_ALL) ) 

THEN IHP_RBS_TAC lemma! 

THEN ASM_RBWRITE_TAC [ONnP_BOSN ) ONnP_Of fn ; COND_TROE_TRUE ] 

THEN ASM_CASES_TAC 

"( (P_fBm_xstS(B (titlme)) => PA | 

( (P_fem_»tateS (a t) = PH) => 

( P_f am_bold_S ( a t) »> PA I PH) | 

( (P_£»m_8tateS (b t) = PA) => 

( (P_f»m_mrqtS(B t) \/ «P_fsm_crqt_S(s t) /\ - P_f 8m_<=ffnt_s ( a t) ) => PD | 

( ( ~P_f sm_hold_S ( ■ t) /\ P_f sm_loc)c_S ( s t)) => PH | PA)) | 

( (P_fsm_sac)cS (a t) /\ P_f snv_hold_S (s t ) ) => PA I 
( (P_f sm_»acks (s t) /\ -P_f8m_hold_S(s t) /\ -P_f 8in_lock_s (s t)) => PA I 
( (P_fsm_8ackS(s t) /\ -P_f Bm_hold_S ( s t) /\ P_f sm_lock_S ( s t ) ) =>• PH I 
PD)))))) » PD)" 

THEN ASSUMB_TAC (RENRITB.RULE [] (RBDUCB.CONV "0<=31") ) 

THEN IMP_RBS_TAC ONnP_Of fn 

THEN ASM_REWRITB_TAC [ONnP_BUSN 1 COND_TRUE_TRUE ] 

THEN IMP_RES_TAC NOT_PD 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN ASM_REHRITE_TAC [ONnP_BUSN> ONnP_Of fn; COND_TRUE_TRUH ; 

pr ove_cons true tor 8_distinct p£sm_ty_Axlom> 

SYM_RULE (prove_con8tructor8_distinct pf sm_ty_Axiom) ] 

THEN COND_CASBS_TAC 

THEN ASM_REWRITE_TAC [ ONnP_BUSN ; ONnP_Of f n ) COND_TRUE_TRUE ; 

prove_cons tructor B_di8t Inct pf am_ty_Axiora; 

SYM_RULB (prove_confltructor8_distinct pf 8m_ty_Axiom) ] 

);; 

let I_be_0_THM x TAC_PROOF 

(( [], 

"! (t itime) (8 ttlme->pc_8tate) (e itime->pc_env) (p itime->pc_out) . 
PBlock_OATB 8 e p 

XX> 

(l_be_0 ( PC_OF (8 t) (e t ) ) = l_be_0 (p t))"), 

RBWRITB_TAC [ l_be_0 > PBlock_EXP ; ( BXPAND_LBT_RULE PC_OF_BXP) ] 

THEN REPEAT STRIP.TAC 
THEN ASM_RBHRZTB_TAC [] 

)>> 
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lot I_ralo_0_THM = TAC_PROOF 

(([], 

"1 (t itimo) (s itime->pc_state) 
PBlock_OATB sop 

(l_ralo_0 (PC_OF (s t) (a t) ) 
RBWRITB_TAC [l_ralo_0> PBlockJBXP 
THEN REPEAT STR1P_TAC 
THEN ASM_REWRITE_TAC [lommal] 

)>; 

lot I_mal«_0_THM = TAC_PROOF 

(([], 

"1 (t itlmo) (a itimo->pc_8tato) 
PBlock_OATE sop 

( l_male_0 (PC_OF (a t) (o t ) ) 
REWRITE_TAC [ l_male_0 > PBlock_EXP 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [lommal] 

)>» 

lot I_crqt_0_THM = TAC_PROOF 

(III, 

" ! (t :tlmo) (a itirao->pc_stato) 
PBlock_OATE sop 

(l_crqt_0 (PC_OF (8 t) (o t)) 
RBWRITE_TAC [ I_crqt_0 ) PBlock_EXP 
THEN REPEAT STRXP_TAC 
THEN ASM_REWRI TE_TAC [] 

) ;; 

lot I_calo_0_THM - TAC_PROOF 

(([], 

"! (t itlmo) (s itimo->pc_stato) 
PBlock_OATE a e p 
==> 

(I_calo_0 (PC_OF (s t) (a t)) 
REWRITE_TAC [I_calo_0;PBlock_EXP 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRI TB_TAC [] 

) / ; 

lot I_mrdy_0_THM « TAC_PROOF 

(([], 

"1 (t ttimo) (a :timo->pc_atata) 
PBlook_OATB sop 
«»> 

( l_mrdy_0 (PC_OF (s t) (o t)) 
RBWRITB_TAC [l_mrdy_0»PBlock_EXP 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [WIRE] 

);; 

lot I_last_0_THM « TAC_PROOF 

(([], 

“l (t itlmo) (a itimo->po_atato) 
PBlock_OATB sop 
*=> 

( l_last_0 (PC_OF (s t) (o t ) ) 
REWRITB_TAC [ l_last_0 ; PBlock_EXP 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

hi 

lot I_hlda_0_THM = TAC_PROOF 

( ( [], 

"1 (t itlmo) (a !timo->pc_atato) 
PBlock_OATB sap 


(o itlmo->pc_env) (p itimo->pc_out) 

= l_rale_0 (p t))»), 
(BXPAND_LET_RULE PC_OF_EXP)] 

(o ttlme->po_onv) (p itimo->pc_out) 

* l_male_0 (p t))"), 

( EXP AND_IiET_RULE PC_OF_EXP) ] 

(o itime->pc_onv) (p itime->pc_out) 

= l_crqt_0 (p t))"), 
(EXPAND_LET_RULE PC_OF_EXP) ] 

(a itimo->-pe_onv) (p itimo->pc_out) 

= l_oalo_0 (p t))"), 

( EXPAND_LBT_RULB PC_OF_EXP) ] 

(e i time->pc_env) (p itimo->po_out) 

- I_mrdy_0 (p t))")# 

( EXPAND_LET_RULE PC_OF_EXP ) ] 

(o itima->pc_onv) (p itimo->po_out) 

- l_last_o (p t ) ) " ) , 

( BXPAND_LBT_RDLE PC_OF_EXP) ] 

(o i t Imo - >pc env ) (p itima->pc_out) 
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(I_hlda_0 <PC_OF (a t) (« t) ) => l_hlda_0 (p t ) ) " ) , 

RBWRITE_TAC [ l_hlda_0 ) PBlock_EXP ) ( EXPAND_LET_RULE PC_OF_BXP) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBMRITB_TAC [] 

) ;; 

let I_lock_0_THM = TAC_PROOF 
( ( []/ 

"1 (t itime) (s itime->pc_state) (e itime->pc_env) (p ttime->pc_out) . 
PBlock_GATE sap 
==> 

(l_lock_0 (PC_OF (a t) (at)) « l_lock_0 (p t))"), 

RBWRITE_TAC [ l_lock_0 ; PBlock_EXP ) (EXPAND_IjET_RULE PC_OF_EXP) ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [lemmal] 

);; 


3.2 M-Port Clock-Level Verification 

The theory mclock_ver and file mcjhms.ml contain the M-Port clock-level correctness proof. 


File i 
Author t 
Date i 


mclock_ver.ini 

(c) D.A. Fura 1992-93 

1 March 1993 


aet_flag ('timing'/ true);; 

aet search path (aearch_path( ) 9 [ ' /home/elviaS/dfura/f tep/piu/hol/mport / ' i 

' /home/elvie6/dfura/£tep/piu/hol/llb/ ' » 

' /home/elvia6/dfura/hol/ml / ' t 
' /home/elvia6/dfura/hol/Library/aba_theory/ ' ; 
' /home/elvia6/d£ura/hol/Llbrary/tools/ ' 

])»» 


system 'rm mclock_ver . th' i j 

new_thaory 'mclock_ver ' ; i 

loadf ' aba_theory ' ; > 
loadf ' aux_de£ a ' n 

map new_parent [ 'wordn_de£ ' > ' array_def ' ; ' gates_daf 1 ' > ' latches_def ' ; ' £f s_de£ ' ; 
' counter s_de£ ' I ' ineq ' ] ; ; 

map load_parent I 'pluaux_de£ ' ; 'maux_da£ ' i 'nObloek_dof ' ; 'mcloek_de£ ' ] ; ; 

let RBP_ty = abs_type_in£o (theorem 'piuaux_def' 'RBP')j( 

new_type_abbr ev ( ' t ImeC ' , * « num" ) j j 

loadt ' mc_thma . ml ' ; ; 

let M_Clock_Correct « prove_thm 
( 'M_Clock_Correct ' , 

"1 (rep i*RBP_ty) (t itime) (a i time->mc_atata) (e itime->mc_env) 

(p itime->mc_out) . 

MBlock_GATE rep a e p 
==> 

MCSet_Correct rep a e p", 

REPEAT STRIP_TAC 

THEN RENR1TE_TAC (MCSet_Correctl 
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THEN INDUCT_THEN (prove_induction_thm MCI) ASSCME_TAC 
THEN OEN_TAC 

THEN RBWRITB_TAC [MC_Correct ; MC_Exec I MC_PreC ; MC_PostC ] 

THEN CONJ_TAC 
THBNL [ 

% Subgoal Is "8(t + 1) = MC_NSF rep (a t) (a t) " % 
SUBST_TAC [SPEC "(a (t+1) ) tmc_atate" state_Seleetora_Work] 
THEN IMP_RES_TAC (SYM_RULB M_f am_atateS_THM) 

THEN IMP_RES_TAC (SYM_RULE M_f am_male_S_THM) 

THEN IMP_RES_TAC ( SYM_RULE M_f am_rdS_THM) 

THEN IMP_RES_TAC (SVM_RTJLE M_f am_bwS_THM) 

THEN IMP_RBS_TAC ( SYM_RULB M_f am_WWS_THM ) 

THEN IMP_RES_TAC (SYM_RULE M_f am_laat_S_THM) 

THEN IMP_RES_TAC ( SYM_ROLB M_f am_mrdy_S_THM ) 

THEN IMP_RES_TAC ( S YM_RULE M_f am_zero_cntS_THM) 

THEN IMP_RES_TAC (SVM_RULE M_f am^ratS_THM) 

THEN IMP_RES_TAC ( SYM_RULE M_aeS_THM) 

THEN IMP_RES_TAC (STtM_RULE M_wrS_THM) 

THEN IMP_RES_TAC ( SVM_ROLE M_addrS_THM) 

THEN IMP_RES_TAC ( SYM_ROLE M_baS_THM) 

THEN IMP_RES_TAC ( SYM_ROLE M_countS_THM) 

THEN IMP_RBS_TAC ( SVM_RULE M_rdyS_THM) 

THEN IMP_RES_TAC ( SYM_RULB M_wwdalS_THM) 

THEN IMP_RBS_TAC ( SYM_RULB M_parityS_THM) 

THEN IMP_RES_TAC ( S1M_RULE M_rd_dataS_THM) 

THEN IMP_RKS_TAC ( SYM_RDLE M_detactS_THM) 

THEN ASM_REWRITE_TAC 

[SPEC "MC_NSF (rapt A REP_ty) ( (a t time- >inc_8t ate) t) 

( (ett±me->rac_env) t)" 

( SYM_RULE State_Selectora_Work) ] 

) 

% Subgoal 2 1 "p t = MC_OF rep (a t ) ( a t ) " % 

SOBST_TAC [SPEC " ( (pttime->rac_out) t)" Out_selectora_Work] 
THEN XMP_RKS_TAC ( SYM_RULE I_ad_OUt0_THM) 

THEN IMP_RBS__TAC ( SYM_RULB I_ardy_0_THM) 

THEN IMP_RES_TAC ( SYM_RULB MB_addr 0_THM ) 

THEN IMP_RES_TAC ( SYM_RULB MB_data_outO_THM) 

THEN IMP_RES_TAC ( SYMJRULB MB_c 8 _a apr om_0_THM ) 

THEN IMP_RES_TAC (SYM_ROLE MB_ca_aram_0_THM) 

THEN IMP_RES_TAC ( SYM_RULB MB_wa_0_THM) 

THEN IMP_RES_TAC ( SYM_RULB MB_oe_0_THM) 

THEN IMP_RES_TAC (SYM_RULE MB_parityO_THM) 

THEN ASM_REWRITB_TAC 

[SPEC *MC_OF (rapt A REP_ty) ( (a t time->mc_atate) t) 

( (ettime->mc_env) t)" 

( sym_rdle Out_Salectora_Work) ] 


] 


)>; 


cloae_thaory( ) > ; 


Filet itic_thms.ini 

Author! (c) D.A. Fura 1992-93 

Date! 1 March 1993 

* 

let M_f am_atateS_THM « TAC_PROOF 

<<[], 

"! (t ttimeC) (rep t *REP_ty) (a t t imeC->mc_atata) (a ! t imeC - >mc_env ) 

(p ttimeC->mc_out) . 

MBlock_QATB rep a a p 
==> 

(M_£am_atateS (MC_NSF rep (a t) (at)) = M_‘ jm_stateS (a (t+1)))"), 
RBVmiTE_TAC [M_f am_StateS)MBlock_EXPl (BXPAND_LBT_RULE MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 
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>» J 

let M_f am_male_S_THM « TAC_PROOF 

(([], 

"i (t itlmeC) (rep t A RBP_ty) (s itimeC->mc_state) (e ttimeC->mc_env) 

(p i tlmeC->mc_out ) . 

MBlock_GATB rep s e p 
■» 

(M_f am_male_S (MC_NSF rep (a t) (e t)) = M_f am_male_S (s (t+1)))"), 
RKWRITB_TAC [M_£am_male_S/MBlock_BXP| ( BXPAND_LBT_RULE MC_NSF_RBW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

) ;; 

let M_£am_rdS_THM - TAC_PROOF 

(([], 

"1 (t itlmeC) (rep t A RBP ty) (s itimeC->mc_etate) (e itimeC->mc_env) 

(p itlmeC->mc_out) . 

MBlock_QATB rep a e p 
==> 

(M_f am_rds (MC_NSF rep (a t) (e t) ) = M_fam_rdS (b (t+1)))")/ 
RBWRXTB_TAC [M_f am_rdS ; MBlock_EXP ; ( BXPAND_LET_RULE MC_NSF_RBW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

)>; 

let M_fam_bwS_THM = TAC_PROOF 

<([], 

"I (t itlmeC) (rep t A REP_ty) (a i timeC->mc_atate) (e itimeC->mc_env) 

(p itimeC->mc_out) . 

MBlock_GATB rep a e p 

(M_£arn_bwS (MC_NSF rep (a t) (e t ) ) = M_£am_bwS (a (t+1)))"), 

REWRI TE_TAC [M_£am_bwS;MBlock_EXP; ( EXPAND_LBT_RULB MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)ll 

let M_£am_wwS_THM = TAC_PROOF 

(((]. 

"I (t itlmeC) (rep i A REP_ty) (a itimeC->mc_atate) (e ttimec->mc_env) 

(p i t ImeC - >mc_out ) . 

MB 1 o c k_GATB rep a e p 
»> 

(M_£an\_wwS (MC_NSF rep (a t) (at)) = M_f am_wwS (a (t+1)))"), 
RBWRITE_TAC [M_£ am_wwS ) MBlock_EXP ; (EXPAND_LET_RULE MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)>; 

let M_£am_laat_S_THM ■ TAC_PROOF 

(([], 

"! (t itlmeC) (rep t A RBP ty) (a itimeC->me_atate) (e itlmeC->-mc_env) 

(p i t imaC - >mc_out ) . 

MBlock_GATE rap a a p 
«■> 

(M_fam_laat_S (MC_NSF rep (a t) (at)) = M_£am_laat_S (a (t+1)))"), 
REWRZ TE_TAC [M_£am_laat_S;MBlock_EXP» ( EXP AND_LET_RULE MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

)»; 

let M_£am_mrdy_S_THM » TAC_PROOF 

(([], 

"! (t itlmeC) (rep i A REP_ty) (a itimeC->mc_atate) (e itimeC->mo_env) 

(p t timec—>mc out) . 

MBlock_OATE rap a a p 
==> 

(M_£am_mrdy_S (MC_NSF rep (a t) (at)) = M_fam_mrdy_S (a (t+1)))"), 
RENRXTE_TAC [M_£ am_mrdy_S ; MBlock_EXP j ( EXPAND_LET_RULB MC_NSF_RBW) ] 

THEN REPEAT STRXP.TAC 
THEN ASM_REWRITB_TAC [ ] 
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) j; 

lot M_fsnv_zero_cntS_THM • TAC_PROOF 

(([], 

"! (t itlmeC) (rop : A RBP_ty) (s : timeC->mc_state) (e : t imeC - >mc_env ) 

(p ttimaC->me_out) . 

MBlock_QATB rep 8 e p 
■■> 

( M_ f am_z a r o_c nt S (MC_NSF rap (s t) (at)) = M_£sm_zaro_cntS (a (t+1) ) ) ") , 
REWRITE_TAC [M_£ 8m_zero_CHtS ; MBlook_EXP ; (EXPAND_LBT_RULB MC_NSF_RBW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);» 

lot M_£8m_rstS_THM = TAC_PROOF 

(([]» 

"l (t ttlmaC) (rap t A REP_ty) (a ttimeC->mc_state) (a ttimaC->mc_onv) 

(p ttimaC->mc_out) . 

MB lock_QATB rop sap 

(M_£»m_r8tS (MC_NSF rop (s t) (at)) = M_fsm_rstS (8 (t+1)))"), 
REWRITE_TAC (M_£ 8m_rs t S ; MBlockJBXP ; ( BXPAND_LET_RULB MC_NSF_REW ) ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ;; 

lot M_aaS_THM = TAC_PROOF 

(([], 

"! (t ttimeC) (rap : *REP_ty) (8 s t imeC - >mc_s t at a ) (a )timoC->mc_anv) 

(p itimoC->mc_out) . 

MBlockGATE rap sap 
=>=> 

(M_saS (MC_NSF rap (8 t) (at)) = M_ooS (s (t+1)))"), 

REWRITE_TAC [M_»aS ; MBlock_BXP ; (BXPAND_LBT_RULB MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRXTE_TAC [ ] 

)ll 

lat M_WrS_THM ■ TAC_PROOF 

(([], 

"1 (t ttlmaC) (rep t *RBP_ty) (s itlmaC->mc_stata) (a itlmaC->mc_anv) 

(p !timeC->mc_out) . 

MBlockOATE rap sap 
=■> 

(M_wrS (MC_NSF rap (s t) (at)) = M_wrS (s (t+1)))"), 

REWRITE_TAC [M_wrS;MBloek_EXP; (EXPAND_LET_RULE MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REMRITE_TAC [ ] 

) II 

lat M_addrS_THM ■ TAC_PROOF 

(([], 

"! (t ttlmaC) (rop t A RBP_ty) (8 itlmaC->mc_8tata) (a ttlmeC->mc_anv) 

(p ttimaC->mc_out) . 

MBlock_OATE rap sap 

(M_addrS (MC_NSF rap (s t) (at)) = M_addrS (s (t+1)))"), 

RBWRITE_TAC [M_addr S ; MBlock_EXP ) (EXPAND_LET_RULE MC_NSF_REW) ] 

THEN REPEAT STRXP.TAC 
THEN ASM_RBWRITB_TAC [ ] 

);> 

lat M_beS_THM = TAC_PROOF 

( ( (], 

"! (t ttlmaC) (rop t *RBP_ty) (s t timeC->mc_state) (a t timoC->mc_env) 

(p ttimaC->me_out) . 

MBlock_OATE rap a a p 

(M„bes (MC_NSF rap (o t) (at)) « M_boS (b (t+1)))"), 

RBWRITB_TAC [M_baS;MBlook_EXP; ( BXPAND_LET_RULE MC_NSF_REN) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 
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);; 

let M_countS_THM = TAC_PROOF 

<([], 

"I (t it imeC) (rep < A REP_ty) (a :timeC->me_Btate) (e : timeC->mc_env) 
(p itimeC->mc_out) . 

MBlock_QATB rep s e p 
»»> 

(M_countS (MC_NSF rep (at) (e t) ) = M_countS (s (t+1) ) ) " ) , 
REWRITE_TAC [M_countS ) MBlock_BXP j (KXPAND_LET_RULB MC_NSF_RBW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

)»; 

let M_rdyS_THM = TAC_PROOF 

(([]. 

"1 (t itiroeC) (rep i A REP_ty) (e i timeC->mc_atate) (e i timeC->mc_env) 
(p : t ImeC - >mc_out ) . 

MBlock_GATE rep s e p 
««> 

(M_rdyS (MC_NSF rep (s t) (e t ) ) = M_rdyS (s (t+1)))"), 
RBWRITE_TAC [M_rdyS;MBlock_EXP; (EXPAND_LET_RULE MC_NSF_REW) 3 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)>l 

let M_wwdelS_THM - TAC_PROOF 

(([], 

"1 (t i timeC) (rep : A REP_ty) (s itimeC->mo_state) (e itimeC->mc_env) 
(p t timeC ->mc_out) . 

MBlock_GATE rap sap 
==> 

(M_wdelS (MC_NSF rep (s t) (at)) = M_wwdelS (« (t+1)))"), 
REWRITB_TAC [M_WWdalS)MBlock_EXP ; ( EXP AND_LET_ROLE MC_NSF_RBW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWR I TB_T AC [ ] 

);; 

let M_parityS_THM = TAC_PROOF 

(([], 

"1 (t i timeC) (rep t A REP_ty) (s itimaC->mc_atate) (e ttimeC->mc_en.v) 
(p s timeC ->mo_out ) . 

MB 1 o c k_QATE rep a e p 
««> 

(M_parityS (MC_NSF rep (a t) (e t) ) = M_parityS (a (t+1)))"), 
REWRITE_TAC [M_par ityS l MBlock_BXP ; (EXPAND_LET_RULE MC_NSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITK_TAC [ ] 

);; 

let M_rd_dataS_THM « TAC_PROOF 

(([], 

"1 (t i timeC) (rep i A RBP_ty) (a itimeC->me_atate) (e i timeC ->mc_env) 
(p : t imeC - >mc_out ) . 

MBlock_OATE rap a e p 
««> 

(M_rd_dataS (MC_NSF rep (a t) (e t) ) = M_rd_dataS (a (t+1)))"), 
REWRITE_TAC [M_rd_dat aS ; MBlock_EXP ; ( BXPAND_LET_RULE MC_NSF_RHW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

);» 

let M_detectS_THM « TAC_PROOF 

(([], 

"1 (t itimeC) (rep : A REP_ty) (a i timeC ->mo_at ate) (e itimeC->mc_env) 
(p !timeC->mc_out) . 

MBlock_OATB rep a e p 

»«> 

(M_detectS (MC_NSF rep (a t) (a t)) * M_detectS (a (t+1)))"), 
REWRXTB_TAC [M_detectSjMBlock_EXPj (EXPAND_LET_RULE MC_NSF_REW) ] 

THEN REPEAT STRIP.TAC 
THEN ASM_RBWRITB_TAC U 
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)ll 

let I_ad_outO_THM = TAC_PROOF 

(([]» 

"1 (t : timeC) (rep s A REP_ty) (a : timeC->mc_state) (e ( 1 imeC - >mc_env ) 
(p ttimeC->me_out) . 

MB lock_QATB rep a e p 
==> 

(I_ad_outO (MC_OP rep (a t) (e t)) = I_ad_outO (p t))")< 
REWRITE_TAC (I_ad_OUtO/MBlock_BXP; (BXPAND_LBT_RULB MC_OF_REW) J 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ) J 

let I_s r dy_0_THM = TAC_PROOF 

<([], 

"! (t i timeC) (rep ( A REP_ty) (a : timeC ->mc_at ate) (e i timeC ->mc_env) 
(p i timeC ->me_out) . 

MBlock_QATB rep a e p 
==> 

(l_ardy_0 (MC_OF rep (at) (e t ) ) = l_ardy_0 (p t))"), 

REWRITE_TAC [I_ardy_0;MBlock_EXP; (EXPAND_LET_RULB MC_OF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

);; 

let MB_addrO_THM = TAC_PROOF 
( ( (] > 

"! (t t timed (rep ( A RSP_ty) (a itimeC->mc_atate) (e ( timeC ->mc_env) 
(p »timeC->mc_out) . 

MBlock_OATB rep a e p 

==> 

(MB_addrO (MC_OF rep (a t) (e t) ) = MB_addrO (p t) ) ") , 

REWRXTE_TAC [MB_addrO ; MBlock_EXP j ( EXPAND_LET_RULB MC_OF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC[] 

);> 

let MB_data_outO_THM = TAC_PROOF 

(( [], 

"1 (t itimeC) (rep i *REP_ty) (a :timeC->mc_atate) (e :timeC->mc_env) 
(p itimeC->me_out) . 

MB lock_GATB rep 8 e p 
==> 

(MB_data_outO (MC_OF rep (a t) (e t ) ) = MB_data_outO (p t) ) ") , 
RBWRITE_TAC [MB_dat a_out O ; MB lock_BXP ) ( EXPAND_LET_RULE MC_OF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ;; 

let MB_ca_eeprom_0_THM « TAC_PROOF 

(([], 

"! (t itimeC) (rep t A RBP_ty) (a itimeC->mc_state) (e t timeC ->mc_env) 
(p :timeC->mc_out) . 

MBlock_QATE rep a e p 

(MB_oa_eeprom_0 (MC_OF rep (a t) (e t) ) = MB_ca_eeprom_0 (p t))"), 
REWRXTE_TAC [MB_C 8_eeprom_0 ; MB lock_BXP ; ( BXPAND_LET_RULE MC_OF_REN) ] 
THEN REPEAT STRXP_TAC 
THEN ASM_RBWRITE_TAC[] 

) It 

let MB_c a_a r am_0_THM = TAC_PROOF 

( ( [], 

"! (t (timed (rep ( A REP_ty) (a (timeC->mc_atate) (e (timeC->mc_env) 
(p (timeC->mc_out) . 

MBlock_QATB rep a e p 

(MB_ca_aram_0 (MC_OF rep (a t) (e t ) ) = MB_ca_aram_0 (p t))")» 
REWRITE_TAC lMB_ca_aram_0;MBloek_EXP; ( EXPAND_LET_RULE MC_OF_REW) ] 
THEN REPEAT STRXP_TAC 
THEN ASM_REWRITB_TAC [ ] 
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) ;; 

let MB_w#_0_THM = TAC_PROOF 

(< [], 

"! (t itimaC) (rep t A REP_ty) (s :timeC->mc_state) (e :timeC->mc_env) 
(p ttimec->mc_out) . 

MBlock_QATB rep s e p 
==> 

(MB_we_0 (MC_OF rep (s t) (e t)) = MB_we_0 (p t))"), 

RBWRITB_TAC [MB_we_0 ; MBlock_BXP 1 (EXPAND_LET_RULB MC_OF_RBM ) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RRWRITE_TAC [ ] 

);; 

let MB_oe_0_THM = TAC_PROOF 

(([], 

"1 (t ttlmec) (rep : A REP_ty ) (s :timeC->mc_state) (e itimeC->mc_env) 
(p ttimeC->mc_out) . 

MBlock_QATE rep 8 e p 
«•> 

(MB_oe_0 (MC_OF rep (s t) (e t)) = MB_oe_0 (p t))"), 

REMRITE_TAC [MB_oe_0 1 MBlock_BXP ; ( BXPAND_LBT_RULE MC_OF_REW) ] 

THEN REPEAT STRIP.TAC 
THEN ASM_RZWRITE_TAC [ ] 

);> 

let MB_parltyO_THM = TAC_PROOF 

(([], 

"1 (t ttlmaC) (rep : A REP_ty) (a ! timeC->mc_atate) (e !tlmeC->mc_env) 
(p : timeC->mc_out ) . 

MBlock_OATB rep 8 e p 
*=> 

(MB_parltyO (MC_OF rep (s t) (e t ) ) = MB_parityO (p t))")< 
REWRITE_TAC [MB_parityO;MBlock_EXP; ( EXPAND. LB T_RU LE MC_OF_REW) J 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);» 


3.3 R-Port Clock-Level Verification 

The theory rclock_ver and file rcjthms.ml contain the R-Port clock-level correctness proof. 


Filet rclock_ver.ini 

Author: (c) D.A. Fura 1992-93 

Date t 7 March 1993 


■% 


set_flag ('timing', true);; 

set_search_path (search _path() 9 [ ' /home/elvis6/dfura/f tep/piu/hol/rport/ ' ; 

' /home/elvis6/dfura/f tep/piu/hol/lib/ ' ; 

' /home/elvis6/dfura/hol/ml/ ' ; 

' /home/elvia6/d£ura/hol/Library/abs_theory/ ' ; 
' /home/elvis6/d£ura/hol/Library/tools/ ' 

));; 


system 'rm rclook_ver .th' ; ; 
new_theory ' rclock_ver ' ; ; 
loadf ' ahs_theory ' ; ; 
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loadf ' aux_def e ' ; j 


map new_parent t 'array_def ' > ' rclock_def ' t 'rblock_def ' 1 ; ; 

map load_parent [ 'piuaux_def ' ; ' raux_def ' j 'buses_def ' ; 'busn_def ' ; ' ineq' ; 'cond' ; 
'wordn_def ' ] j ; 

load_library ' reduce ' ; ; 

let RBP_ty = abs_type_info (theorem 'piuaux_def' 'REP')j> 

let RClockNSF_REW = theorem 'rclock_de£' 'RClockNSPRBW' ; ; 

let RClockOF_HBW « theorem ' rclock_def ' ' RClockOF_RBW ' ) ; 

let RBlock_EXP * theorem 'rblock_de£' ' RBlock_EXP ' > » 

let RClockNSF_EXP ■ EXPAND_LBT_RULE RClockNSFJREW; ; 

let RClockOF_EXP * EXPAND_LBT_RULK RClockOF_REW; ; 

loadt ' rc_thms . ml ' ; ; 

let R_Clock_Correct = prove_thm 
( 'R_Clock_Correct ' , 

"! (rep t *REP_ty) (t ttime) (e itime->r_etate) (e t time->r_env) 

(p «time->r_out) . 

RBlock_GATB rep sap 

RCSet_Correct rep s e p", 

REPEAT STRIPJTAC 

THEN REWRITB_TAC (RCSet_Correct ] 

THEN TNDUCT_THBN (prove_induction_thm RCI) ASStJME_TAC 
THEN OEN_TAC 

THEN RBWRITB_TAC [RC_Corract;RC_ExecjRC_PraC;RC_PostC] 

THEN CONJ_TAC 
THENL ( 

% Subgoal It "s(t + 1) = RClockNSF rep (s t) (e t) " % 

SOBST_TAC [SPEC "(s (t+1) ) tr_state" State_Selectors_Hork] 

THEN IMP_RES_TAC (SXM_RULE R_ctrO_THM) 

THEN IMP_RBS_TAC ( SYM_RULE R_ctrl_THM) 

THEN IMP_RES_TAC (SYM_RDLE R_ctr2_THM) 

THEN IMP_RBS_TAC ( SYM_RtJLB R_Otr3_THM) 

THEN IMP_RBS_TAC ( SYM_RDLE R_bueA_latch_THM ) 

THEN IMP_RES_TAC (SXM_RULB R_f em_state_THM) 

THEN IMP_RBS_TAC (SYM_RULE R_f em_ale_THM) 

THEN IMP_RES_TAC (SYM_RULE R_f am_mrdy_THM) 

THEN IMP_RBS_TAC ( S YM_RULE R_f em_last_THM) 

THEN IMP_RBS_TAC ( SYM_RDLE R_f sm_rst_THM) 

THEN IMP_RBS_TAC (SYM_RULE R_intO_dia_THM) 

THEN IMP_RES_TAC ( SYM_ROLB R_int3_di«_THM) 

THEN IMP_RBS_TAC ( SYM_RULE R_c01_cout_del_THM) 

THEN IMP_RBS_TAC (SYM_RULE R_intl_en_THM) 

THEN IMP_RBS_TAC ( SYM_RULE R_c23_COUt_del_THM) 

THEN IMP_RBS_TAC ( SYM_RULB R_int2_en_THM) 

THEN IMP_RBS_TAC (SYM_ROLB R_wr_THM) 

THEN IMP_RBS_TAC ( SVM_RtJLE R_cntlatch_del_THM) 

THEN IMP_RES_TAC ( SYM_RULE R_»rdy_del_THM> 

THEN IMP_RES_TAC ( SYM_RDLE R_reg_nel_THM) 

THEN IMP_RES_TAC ( SYM_ROLE R_ctrO_in_THM> 

THEN IMP_RBS_TAC ( S YM_RCLE R_CtrO_ntUX_eel_THM) 

THEN IMP_RBS_TAC ( SVM_RULE R_ctrO_irdan_THM) 

THEN IMP_RBS_TAC ( S YM_RULE R_CtrO_cry_THM) 

THEN IMP_RBS_TAC ( S YM_RULE R_ctrO_neW_THM) 

THEN IMPJRBS_TAC (SVM_RULE R_ctrO_out_THM) 

THEN IMP_RBS_TAC (SYM_RDLE R_etrO_orden_THM) 

THEN IMP_KBS_TAC (SYM_RULB R_ctrl_in_THM) 

THEN IMP_RES_TAC ( SYM_RULE R_ctrl_mux_eel_THM) 

THEN IMP_RBS_TAC (SYM_ROLE R_otrl_irden_THM) 

THEN IMP_RBS_TAC (SYM_RULE R_ctrl_cry_THM) 

THEN XMP_RES_TAC (SYM_ROLE R_ctrl_Hew_THM) 

THEN IMP_RBS_TAC ( SYM_RULB R_ctrl_OUt_THM) 

THEN IMP_RBS_TAC (STM_RULE R_ctrl_orden_THM) 

THEN IMP_RBS_TAC (SYM_RDLB R_Ctr2_in_THM) 

THEN IMP_RES_TAC (SYM_RULE R_Ctr2_mux_eel_THM) 

THEN IMP_RBS_TAC (SYM_RULE R_ctr2_irden_THM) 


41 



THEN IMP_RBS_TAC (SYM_RULE R_Ctr2_cry_THM) 

THEN IMP_RES_TAC (S7M_RULE R_ctr2_naw_THM) 

THEN IMP_RES_TAC ( SYM_RULB R_ctr2_OUt_THM) 

THEN IMP_RES_TAC ( SYM_RULE R_ctr2_ordon_THM) 

THEN IMP_RE S_TAC ( SYM_ROLE R_ctr3_in_THM) 

THEN IMP_RES_TAC (SYMJfUJLB R_c t r 3 _mux_s ■ 1_THM ) 

THEN IMP_RES_TAC <SYM_ROLB R_ctr3_irden_THM) 

THEN IMP_RES_TAC ( SYM_ROLE R_ctr3_ory_THM) 

THEN IMP_RES_TAC (SYM_RULE R_ctr3_new_THM) 

THEN IMP_RES_TAC (SYM_RtJLE R_ctr3_OUt_THM) 

THEN IMP_RES_TAC ( SYM_RULE R_ctr3_orden_THM) 

THEN IMP_RES_TAC (SYM_ROLB R_icr_load_THM) 

THEN IMP_RES_TAC ( SYM_ROLE R_icr_old_THM) 

THEN XMP_RES_TAC ( SYM_RULE R_icr_maak_THM) 

THEN IMP_RES_TAC ( SYM_RULE R_icr_THM) 

THEN IMP_RES_TAC (SVM_ROLE R_icr_rdon_THM ) 

THEN IMP_RBS_TAC ( SYMJRULR R_CCr_THM) 

THEN XMP_RES_TAC ( SYM_RULB R_ccr_rden_THM) 

THEN IMP_RES_TAC (SYM_RULE R_gcr_THM) 

THEN IMP_RES_TAC ( SYM_RULE R_gcr_rden_THM) 

THEN IMP_RBS_TAC (S1M_RULE R_sr_THM) 

THEN IMP_RE S_TAC ( SYM_RULE R_ar_rdan_THM) 

THEN ASM_REWRITE_TAC 

[SPEC "RClockNSF (rapt A REP_ty) ( (a t time->r_fltate) t) 
((at time->r_anv) t ) " 

(sym_RULE Stata_Salactora_Work) ] 


J 


% Subgoal 2t "p t m RClockOF rap (a t) (a t)" % 

SUBST_TAC [SPEC "( (pitime->r_out) t) " Out_Salectora_Work] 
THEN IMP_RBS_TAC ( SYM_RDLE I_ad_OUt_THM) 

THEN IMP_RBS_TAC ( SYM_RULE I_ardy_THM) 

THEN IMP_RBS_TAC ( SYM_RULE IntO_THM) 

THEN IMP_RES_TAC ( SYM_RULE Intl_THM) 

THEN IMP_RBS_TAC ( SYM_RULE Int2_THM) 

THEN IMP_RES_TAC ( SYM_RDLE Int3_THM) 

THEN IMPJRBS_TAC (SVM_RULB Ccr_THM) 

THEN XMP_RBS_TAC ( SYM_RULE Lad_THM) 

THEN IMP_RES_TAC ( SYM_RDLE Reaet_arror_THM) 

THEN IMP_RES_TAC ( SYM_RULE Pmm_iuvalid_THM) 

THEN ASM_REWRITB_TAC 

[SPBC "RClockOF (rapt *RBP_ty) ( (a t time->r_atate) t) 
( (attlma->r_anv) t ) " 

(SYM_RDLE out_Salaetora_Work) ] 


)»> 


cloaa_thaory Oil 


fr 


% 

Filet rc_thma.ini 

Author! (c) D.A. Fura 1992-93 

Datet 7 March 1993 

% 

let 1 animal = TAC_PROOF 

(([], "! (a b t bool) . a /\ (b \/ a) = a"), 

REPEAT OBN_TAC 

THEN BOOL_CASES_TAC "at bool" 

THEN REWRI TB_TAC [ ] 

)n 

let lemmal_apec = SPECIi ["( (R^fam_ratS( (attlme->r_atate) t) => RI I 

( (R_fam_atataS (a t) » RI) => 

( (-R_£am_ala_S(a t ) ) => RA | RI) | 

( (R_fam_atateS(s t) ■ RA) b> 

( (~R_fanL.mrdy_S(a t)) => RD I RA) I 
( (-R_fam_laat_S(B t)) => RI I RA) ) ) ) = RD)"; 
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" ( (R_f sm_rstS ( (s s time->r_state) t) => RI I 
( (R_fam i _BtateS(s t) = RI) => 

( ( ~R_£sm_aXe_S ( B t) ) »> RA I RI) I 
( (R_fam_stateS(a t) = RA) => 

( ( ~R_f am_mrdy_S ( s t ) ) => RD I RA) I 
((~R_fam_laat_S(s t ) ) => RI | RA)))) = RA)") 
lemmal; ; 


let lemma2 = TAC_PROOF 

(([], "! (a :rf8in_ty) . -(a = RD) /\ < (a = RA> \/ (a = RD)) = (a = RA)"), 
GEN_TAC 

THEN ASM_CASES_TAC "a = RD" 

THEN ASM_REWRITE_TAC [SYM_RULE (prove_conatructors_distinct rf ain_ty_Axiom) ] 

) ;; 

let lemma2_spec m SPEC " (R_f am^ratS ( (s s time->r_atate) t) => RI I 

( (R_f sm_stateS (a t) = RI) => 

( (~R_fsm_ale_S<8 t)) => RA I RI) I 
( (R_f am_atateS (a t) = RA) => 

( ( ~R_f sm_mrdy_S ( a t ) ) => RD I RA) I 
( (~R_fsm_last_S{8 t)) => RI I RA) ) ) ) " 
lemma 2 ; ; 

let lemma3 = TAC_PROOF 

(([], "! (a b ibool) . a \/ b \/ a = b \/ a"), 

REPEAT OEN_TAC 

THEN BOOL_CASES_TAC "a (bool" 

THEN BOOL_CASBS_TAC "b(bool" 

THEN RBWRITB_TAC [ ] 

);; 

let EXPANS ION_BQ tm = 
let leqtm = 

" ( ( ~R_ardy_del_S ( a ( t - 1 ) ) ) => 

INCN 3<R_reff_a#lS(a(t -1))) I 
R_reg_aelS ( a ( t - 1)))" in 
let r con j tm e mk_eq (leqtm, tm) in 
let lconjtm ■ 

"(~< (-SND(I_rale_E(e(t - 1)))) => 

ELEMENT (SND(I_ad_inE(e(t - 1))))27 I 
R_wrS ( a ( t - 1))) /\ 

( (R_£am_r8tS(8 (t - 1)) «=> 

RI I 

( (R_£am_atateS (a (t - 1) ) = RI) => 

( (~R_fam_ale_S(a(t - 1) ) ) => RA I RI) I 
( (R_£em_atateS(a (t - 1)) = RA) => 

( (-R_£arn_mrdy_s(a (t -1))) <=> RD | RA) I 
( (~R_£am_laat_S(a (t - 1))) => RI I RA) ) ) ) = 

RA) ) " in 

mk_conj (lconjtm, roonjtm);; 

let WORDN_NOT_E0_THMLIST tm « 
let 10 = if tm m "0" then [] 

elae ( REDUCE_RULE (SPECL ["0")tm] WORDN_3_NOT_EQUAL) 3 in 


let 

11 

S 

if tm e 

"1" then 10 









elae 10 

0 [REDUCE.RDLE 

(SPECL 

["l";tm] 

WORDN_3. 

_N0T_EQUAL) ] 

in 

let 

12 

= 

if tm « 

"2" then 11 









else 11 

0 [REDUCE_RULE 

(SPECL 

["2" jtm] 

W0RDN_3. 

_N0T_EQDAL) ] 

in 

let 

13 

= 

if tm s 

"3" then 12 









elae 12 

0 tREDDCE_RDLE 

(SPECL 

[ "3 " ; tm] 

WORDN_3. 

_NOT_BQOAL) ] 

in 

let 

14 

= 

if tm = 

"4" then 13 









elae 13 

0 [ REDUCB_RULB 

(SPECL 

I"4";tm] 

WORDN_3. 

_NOT_EQDAL) ] 

in 

let 

15 

= 

if tm = 

"5" then 14 









else 14 

0 [REDOCE_ROLE 

(SPECL 

("5";tmJ 

WORDN_3. 

_NOT_EQOAL) ] 

in 

let 

IS 

= 

if tm c 

"6" then 15 









else 15 

0 [ R2DUCE_RULE 

(SPECL 

["6";tm] 

WORDN_3. 

_NOT_EQUAL) ] 

in 

let 

17 

= 

if tm « 

"7" then 16 









else 16 

0 [REDDCE_RULE 

(SPECL 

["7 "jtm] 

WORDN_3. 

_NOT_BQUAL) ] 

in 

let 

18 

= 

if tm = 

"8" then 17 









else 17 

0 [REDUCE_RULB 

(SPECL 

t"8";tm] 

WORDN_3. 

_NOT_EQUAL) ] 

in 

let 

19 

- 

if tm > 

"9" then 18 









elae 18 

0 [REDUCE_RULE 

(SPECL 

t"9";tm] 

WORDN_3. 

_NOT_EQUAL) ] 

in 
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lat 110 


= if tm = 
alsa 19 l 


let 

in 

a if tm s 

let 

112 

alae 110 
= if tm = 

let 

113 

alee 111 
= if tm s 

let 

114 

elaa 112 
<= if tm b 

let 

115 

else 113 
■ if tm = 

115 

) ) 

alaa 114 


"10" than 19 
l [RBDUCBJRULE ( 
"11" then 110 
9 [REDOCB_RULE 
"12" than 111 
9 [REDUCB_RULE 
"13" than 112 
9 [REDUCE_RULE 
"14" than 113 
9 [REDUCB_RULE 
"15" then 114 
9 [ REDUCE_RULE 


SPECL ["10") tm] WORDN_3_NOT_BQUAL) ] 
(SPECL ["ll")tm] WORLN_3_NOT_EQUAL) ] 
(SPECL ["12") tm] WORDN_3_NOT_BQUAL) ] 
(SPECL ["13")tm] WORDN_3_NOT_EQUAL) ] 
(SPECL ["14") tm] WORDN_3_NOT_EQUAL) ] 
( SPECL [ " 15 " ) tm] WORDN_3_NOT_BQUAL ) ] 


in 

in 

in 

in 

in 

in 


let lemmaCF « TAC_PROOF 

({[],"! (t : time) (rep i A RBP_ty) (s 1 t ime->r_state) (a itime->r_eav) 

(p :tima->r_out) . 

( RBlock_QATE rep a a p) /\ (t > 0) 

■»> 

(Bual2n_CF 

(31,0) 

( (R_ctrO_irdanS(a t) => BUSN(R_etrO_inS(a t) ) I 0ffn),0ffn) 

( (R_ctrO_ordenS (a t) => BUSN(R_ctrO_outS (a t)) I Offn),Offn) 

( (R_ctrl_irdenS(a t) => BOSN(R_ctrl_inS (a t) ) I Offn),offn) 

( (R_ctrl_ordenS (a t) »> BDSN(R_ctrl_outS (a t ) ) I Of£n),Offn) 

( (R_ctr2_irdenS<a t) => BOSN(R^ctr2_inS(a t) ) I 0£fn),0f£n) 

( (R_ctr2_ordenS ( a t) => B0SN(R_ctr2_outS (a t)) I 0££n),0£fn) 

( (R_otr3_irdanS(a t) => BOSN(R_otr3_inS (a t) ) I Offn),Offn) 

( (R_ctr3_ordenS(a t) => BOSN(R_ctr3_outS (a t)) I Of£n),Offn) 

( (R_ier_rdenS(a t) => BtJSN(R_icrS(a t> ) I 0££n),0££n) 

( (R_ccr_rdanS(a t) -> BUSN (R_ccrS ( a t)) | 0££n),0££n) 

( (R_gor_rdanS (a t) «> BUSN (R_gcrS ( a t ) ) | O£fn),0ffn) 

( (R_ar_rdanS(a t) «> BUSN ( R^arS ( a t ) ) I Ofifn) ,OC£n) ) ") , 
RBWRITB_TAC [SYM_RULE ONB_LBSS_BQ] 

THEN REPEAT STRIP.TAC 

THEN IMP_RBS_TAC (SYM_ROLE (SPECL ["t I time") "1"] SUB_ADD) ) 

THEN ONCE_ASH_REWRITB_TAC [ ] 

THEN ONDISCH_TAC "RBlock_OATE rap a a p" 

THEN POP _ASSUM_LIST (MAP_EVBRY (\th. ALL_TAC) ) 

THEN RBWRI TE_TAC [RBlook_BXP) ( EXPAND_LBT_RULE Bual2n_CF) ) ASel) BSel] 
THEN REPEAT STRIP_TAC 

THEN POP^ASSOM_LIST (MAP_EVERY (\th. ASSUME_TAC (SPEC "t-1" th) ) ) 

THEN ASSUMB_TAC ( RBWRITB_RULE [] (REDUCE_CONV "0<=31") ) 

THEN IMP_RBS_TAC (SPECL ["31") "0"] OFFnP_0£fn) 

THEN ASM_REWRITB_TAC [lammal ) lamma2 ] 

THEN POP_ASSUM_LIST (MAP_BVERY (\th. ALL_TAC ) ) 

THEN ASSUMB_TAC ( REWRI TE_RULE [] (REDUCE_CONV "0<-31")) 

THBN IMP_RBS_TAC (SPECL ["31") "0"] 0FPnP_O££n) 

THEN IMP_RES_TAC (SPECL ["31") "0"] ONnP_Of£n) 

THBN IMP_RES_TAC (OEN_ALL (SPECL ["f twordn") "31") "0"] OFFnP_BUSN) ) 

THBN ASM_CASBS_TAC (EXPANSION_BQ "WORDN 8") 

THBN ASM_RBWRXTE_TAC ( [ wordnVAL_BUSN_IDENT ) wordnVAL_0£ £ n ) ONnP_BOSN ] 9 
(WORDN_NOT_EQ_THMLIST "8") ) 

THBN ASM_CASKS_TAC ( EXPANS ION_EQ "HOREN 12") 

THBN ASM_RBWRITE_TAC ( [ wordnVAL_BUSN_IDBNT ) wordnVAL_Of f n ) ONnP_BUSN ] 9 
(HORBN_NOT_BQ_THMLIST "12") ) 

THBN ASM_CASES_TAC (EXPANSION_EQ "WORDN 9") 

THBN ASM_REWRITB_TAC ( [wordnVAL_BUSN_IDENT)WordnVAL_0££n) ONnP_BOSN] 9 
(WORDN_NOT_BQ_THMLXST "9")) 

THBN ASM_CASBS_TAC ( EXPANS ION_EQ "WORDN 13") 

THBN ASM_RBWRITB_TAC ( [wordnVAL_BUSN_IDENT) wordnVAL_Offn) ONnP_BUSN] 9 
<WOREN_NOT_EQ_THMLIST "13")) 

THEN ASM_CASES_TAC ( EXPANS ION_EQ "WORDN 10") 

THEN ASM_REWRITB_TAC ( [wordnVAL_BDSN_IDENT ) WordnVAL_Of f n) ONnP_BUSN] 9 
( WORDN_NOT_BQ_THMLI S T "10")) 

THBN ASM_CASES_TAC (EXPANSION_EQ "WORDN 14") 

THEN ASM_RBWRITB_TAC ( [wordnVAL_B0SN_IDBNT)WOrdnVAL_0££n)0NnP_BUSN] 9 
( WORDN_NO T_E Q_THML 1ST "14")) 

THBN ASM_CASBS_TAC (EXPANSION_BQ "WORDN 11") 

THBN ASM_REWRITB_TAC ( [wordnVAL_BOSN_IDENT) wordnVAL_Of f n) ONnP_BDSN] 9 
(WORDN_NOT_BQ_THMLIST "11")) 

THEN A3M_CASBS_TAC ( EXPANS ION_EQ "WORDN 15") 
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THEN ASM_REWRITE_TAC ( [wor dnVAL_BUSN_IDBNT ; wordnVAL_Of f n ; ONnP_BUSN ] ® 

( WORDN_NOT_EQ_THML 1ST "15")) 

THEN ASM_CASBS_TAC (EXPANSION_BQ "WORDN 3") 

THEN ASM_RBWRITS_TAC ( [ wor dnVAL_BUSN_IDENT ; wor dnVAL_Of f n ; ONnP_BUSN ] ® 
(WORDN_NOT_BQ_THMLIST "3")) 

THEN ASM_CASBS_TAC (BXPANSION_SQ "WORDN 2") 

THEN ASM_RBWRITE_TAC ( [wordnVAL_BUSN_IDENT;wordnVAL_Offn;ONaP_BUSN) ® 
(WORDN_NOT_EQ_THMLIST "2")) 

THEN ASM_CASES_TAC (EXPANSION_BQ "WORDN 4") 

THEN ASM_REWRITE_TAC ( [wordnVAI,_BUSN_IDKNT/WordnVAL_Of fn;ONnP_BUSNJ ® 
(WORDN_NOT_E(2^THMLIST "4")) 

THEN REWRITE _TAC [COND_TRUE_CHOICBS] 

);; 

set_flag ( 'print _all_subgoals ' , falsa);; 

let R_ctrOS_THM » prove_thm 
( 'R_ctrOS ' , 

"1 (t itima) (rep t A RBP_ty) (s itime->r_state) (e ttime->r_env) 

(p itima->r_out) . 

RBlock_OATE rep sap 
=■> 

(R_ctrOS (RClockNSF rep (s t) (at)) = R_ctrOS (s (t+1)))", 

RKWRITBTAC [R_ctrOS ; RBlock_BXP ; RClookNSP_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC H 
);; 

let R_ctrlS_THM = prove_thm 
( 'R_otrlS' , 

"I (t itima) (rap : A REP_ty) (a i time->r_atate) (a i time->r_env) 

(p !tima->r_out) . 

RBlock_OATB rap sap 
==> 

(R_ctrlS (RClockNSF rap (s t) (at)) ■ R_ctrlS (s (t+1)))", 

REWRITE_TAC [R_ctrlS ; RBlock_EXP ; RClockNSF_BXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC[] 

);» 

let R_ctr2S_THM a prove_thm 
( 'R_ctr2S ' , 

"1 (t itima) (rep t A REP_ty) (s : time->r_stata) (a i time->r_env) 

(p itime->r_out) . 

RBlock_OATE rap sap 
==> 

(R_ctr2S (RClockNSF rap (s t) (at)) = R_ctr2s (s (t+1)))", 

RBWRITB_TAC [R_ctr2S; RBlock_EXP; RClockNSF_BXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [] 

)>! 

let R_ctr3S_THM a prove_thro 
( 'R_ctr3S' , 

"I (t itima) (rap i A REP_ty) (a itime->r_state) (a itime->r_env) 

(p ttima->r_out) . 

RBlock_GATB rap sap 

B = > 

(R_ctr3S (RClockNSF rap (a t) (at)) = R_ctr3S (s (t+1)))", 

RBWRITE_TAC [R_ctr3S; RBlock_EXP ; RClockNSF_BXP] 

THEN REPEAT STRIPJTAC 
THEN ASM_RBWRITB_TAC t ] ) ; ; 

))J 

let R_busA_latchS_THM = prove_thm 
( 'R_busA_latchS ' , 

"! (t itima) (rap t A REP_ty) (s itime->r_state) (a itime->r_env) 

(p ttime->r_out) . 

RBlock_OATE rep sep/\t>0 

aa> 

(R_busA_latchS (RClockNSF rep (s t) (at)) = R_busA_latchS (s (t+1)))", 
REPEAT STRIP_TAC 
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THBN IMP_RBS_TAC lemmaCF 

THEN UNDISCH_TAC "RBlock_QATB rep s e p" 

THBN RBWRITE_TAC [R_busA_latchS;RBlock_BXP;RClockNSF_BXP] 

THBN REPEAT STRIP_TAC 
THBN ASM_RSWRITB_TAC [ ] 

THBN POP_ASSUM_LIST (MAP_BVBRY (\th. ALL_TAC) ) 

THBN ASSUME_TAC (RBWRITB_RULE [] (RBDUCE_CONV "0<=31")) 

THBN IMP_RBS_TAC (SPBCL ["31"; "0"] 0FFnP_0££n) 

THEN XMP_RBS_TAC (SPBCL ["31"; "0"] ONnP_Offn) 

THEN IMP_RBS_TAC (OBN_ALL( SPBCL [ "f : wordn" ; "31" ; "0 " ] OFFnP_BUSN) ) 

THBN ASM_CASBS_TAC "R_otrO_irdenS( (Bitinie->r_state) t)" 

THBN ASH_RBWRITE_TAC [wordnVAL_BUSN_IDENT;wordnVAL_Of £n;ONnP_BUSN] 

THBN ASM_CASBS_TAC "R_ctrO_ordenS ( ( a i time->r_state) t)" 

THBN ASM_RBWRITB_TAC [wordnVAL_BDSN_IDENT ; wordnVAL_Of f n; ONnP_BUSN] 

THBN ASM_CASBS_TAC "R_ctr l_irdenS ( ( a ! time->r_atate) t)" 

THBN ASM_RBWRITB_TAC [wordnVAL_BDSN_IDENT;WOrdnVAL_0f fn;ONnP_BUSN] 

THEN ASM_CASBS_TAC "R_ctrl_ordenS ( (s itime->r_state) t)" 

THBN ASM_RKWRITB_TAC [wordnVAL_BUSN_IDBNT;wordnVAL_Offn;ONnP_BUSN] 

THBN ASM_CASES_TAC "R_ctr2_lrdenS ( (s stime->r_state) t) " 

THBN ASM_RBWRITB_TAC [wordnVAL_BtJSN_IDBNT ; wordnVAL_0£ £n; ONnP_BOSN] 

THBN ASM_CASBS_TAC "R_ctr2_ordenS ( (s : time->r_Btate) t) " 

THBN ASM_REWRITE_TAC [wordnVAL_BOSN_IDBNT;wordnVAL_Of fn;ONnP_BUSN] 

THBN ASH_CASBS_TAC "R_ctr3_irdenS ( (s t tlm#->r_state) t)" 

THBN ASM_RBWRITE_TAC [wordnVAL_BUSN_IDENT;wordnVAL_Offn;ONnP_BUSN] 

THEN ASM_CASBS_TAC "R_ctr3_ordenS ( (at tlme->r_state) t)" 

THBN ASM_RBWRITB_TAC [wordnVAL_BUSN_IDBNT ) WordnVAL_Of f n; ONnP_BUSN] 

THBN ASM_CASBS_TAC "R_lcr_rdenS ( (a > tlme->r_8tate) t)" 

THEN ASM_RBWRITE_TAC [wordnVAL_BUSN_IDBNT ; wordnVAL_Of f n; ONnP_BUSN] 

THEN ASM_CASBS_TAC "R w ccr_rdenS ( (s t time->r_8tate) t)" 

THBN ASM_REWRITB_TAC [wordnVAL_BUSN_IDBNT ; wordnVAL_0£ £n> ONnP_BHSN] 

THBN ASM_CASES_TAC "R_ffcr_rd#nS ( (s : time->r_state) t)" 

THEN ASM_RBWRITB_TAC [wordnVAL_BUSN_IDBNT;wordnVAL_0£fn;ONnP_BUSN] 

THBN ASM_CASES_TAC "R_flr_rdenS( (B«time->r_atate) t) " 

THBN ASM_RBWRITB_TAC [wordnVAL_BDSN_IDBNT;wordnVAL_0£fn>ONnP_BUSN] 

THBN UNDISCH_TAC "RBlook_OATB rep a e p" 

THBN POP_ASSUM_LXST (MAP_BVBRY (Nth. ALL_TAC) ) 

THBN RKWRITB_TAC [RBlock_BXP; (BXPAND_LET_ROLE Bual2n_CF) ;ASel;BSel] 

THBN RBPBAT STRXP_TAC 

THBN POP_jASStJM_LIST (MAP_BVBRY (Nth. ASSUME_TAC (SPEC "t-1" th) ) ) 

THBN ASSUMB_TAC ( RBWRXTB_RULE [] ( RBDUCB_CONV " 0 < = 3 1 " ) ) 

THBN IMP_RBS_TAC (SPBCL ["31"; "0"] 0FFnP_0£fn) 

THBN ASM_RBNRITB_TAC [ lemmal ; lemma2 ] 

);; 

let R_fsnuetateS_THM = provethm 
( ' R_f 8nv_stateS ' < 

"1 (t ttime) (rep i*RBP_ty) (a t time->r_state) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATB rep a e p 

(R u _£8m_»tateS (RClockNSF rep (s t) (e t)) = R_fanustateS (a (t+1)))", 
RBWRITB_TAC [R_£ BIA_»t ateS ; RBlock_BXP ; RClockNSF_EXP ] 

THBN RBPBAT STRIP.TAC 
THBN ASH_REWRXTE_TAC [ ] 

);; 

let R_£Bin_ale_S_THM = prove_thm 
( ' R_£ 8m_«le_S ' , 

"1 (t ttlme) (rep t*REP_ty) (s t time->r_state) (e !time->r_env) 

(p ttime->r_out) . 

RBlock_OATB rep 8 e p 

(R_£am_ale_S (RClockNSF rep (s t) (e t)) = R_f Bm_ale_S (a (t+1)))", 
RKWRITE_TAC [R_£am_ale_S ; RBlock_BXP ; RClockNSF_EXP ] 

THBN RBPBAT STRXP.TAC 
THBN ASM_RBWRITB_TAC [ ] 

)»; 

let R_£ sm l _mrdy_S_THM * prove_thm 
( ' R_£ aiRjmrdy_S ' , 

"! (t :time) (rep i*REP_ty) (s itlme->r_state) (e itime->r_env) 

(p :time->r_out) . 
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RBlock_QATB rep a e p 
==> 

(R_f sm_mrdy_S (RClockNSF rep (s t) (e t ) ) = R_f am_mrdy_S (s (t+1)))", 
RRWRITE_TAC [R_f am_mrdy_S ; RBlock_EXP > RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)ll 

let R_f sit_last_S_THM ■ prove_thm 
( 'R_f anulaa^S' , 

"1 (t itlme) (rep t*REP_ty) (s itime->r_atate) (e :time->r_env) -- 
(p itime->r_ovit) . 

RBloek_OATE rep s e p 
= = > 

(R_£sm_laat_S (RClockNSF rep (a t) (e t)) = R_fam_la8t_S (a (t+1)))", 
REWRITB_TAC [R_f am_laat_S ; RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRXTB_TAC [ ] 

);; 

let R_f am_ratS_THM = prova_thm 
( 'R_f am_ratS' , 

*! (t itlme) (rep t *REP_ty) (a itime->r_state) (e :time->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 
»> 

(R_fam_ratS (RClockNSF rep (a t) (e t)) = R_£anv_rstS (a (t+1)))", 
REWRITE_TAC [R_f am_r a t S ; RBlock_BXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

);; 

let R_int 0_diaS_THM = prove_thm 
( 'R_intO_diaS ' , 

" ! (t :time) (rep i*RBP_ty) (a :tlme->r_atate) (e itime->r_env) 

(p !time->r_out) . 

RBlock_OATE rep a e p 

(R_intO_diaS (RClockNSF rep (a t) (e t)) = R_intO_diaS (a (t+1)))", 
REWRITE_TAC [R_int 0_diaS ; RBlock_EXP ; RClockNSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBMRITE_TAC [] 

);; 

let R_int3_dlaS_THM « prove_thm 
( 'R_int3_diaS', 

"! (t itlme) (rep i*REP_ty) (a itlme->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 

M> 

(R_iat3_diaS (RClockNSF rep (a t) (e t ) ) = R_int3_disS (a (t+1)))", 
REWRITB_TAC [ R_int 3_disS ; RBlock_EXP » RClockNSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

) It 

let R_c01_cout_delS » prove_thm 
( 'R_c01_cout_delS ' , 

"1 (t itlme) (rep t*RBP_ty) (a itime->r_atate) (e ttime->r_env) 

(p 1 1 line - > r out ) . 

RBlock_OATB rep a e p 

(R_c01_cout_delS (RClockNSF rep (a t) (e t ) ) = 

R_c01_cout_delS (a (t+1)))", 

REWRITB_TAC [R_c01_cout_delS; RBlock_BXP ; RClockNSF_BXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)ll 

let R_intl_enS_THM ■ prove_thm 
( 'R_intl_enS' , 

"! (t itlme) (rep i *REP_ty) (a itlme->r_atate) (e ttime->r_env) 
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(p itime->r_out) . 
RBlock_G>ATE rap sap 


(R_intl_enS (RClockNSP rep (s t) (at)) = R_intl_enS (s (t+1)))" 
RBWRITB_TAC lR_iatl_enS ; RBlock_BXP ; RClockNSP_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC 
[SPECL 

["( (R_£sm_rstS( (sitime->r_8tate) t) => RI I 
( (R_fam_stateS(s t) = RI) => 

( (~R_£em_ale_S(s t)) ■> RA I RI) I 
{ (R_£sm_stataS(s t) = RA) => 

( (~R_£am_mrdy_S (s t ) ) => RD I RA) I 
( (~R_fsnv_la»t_S(s t) ) => RI I RA) ) ) ) = RD)"> 

" ( (R_f sm_rstS ( (a i tima->r_state) t) => RI I 
( (R_£sm_stateS(s t) = RI) => 

( (~R_£ain_ale_S(9 t ) ) => RA I RI) I 
( (R_fsm_»tateS(s t) = RA) = > 

( (-R_£snL.mrdy_S(s t) ) «> RD I RA) I 
( (~R_£snL.laat_S(s t) ) => RI I RA) ) ) ) = RA)"] 
lemmal] 

) ; l 

let R_c23_cout_dalS_THM * prove_thm 
( 'R_o23_cout_dalS ' , 

"! (t itima) (rap i A REP_ty) (a itime->r_atate) (a itima->r_env) 

(p stime->r_out) . 

RBlock_GATE rep a a p 
•» 

(R_c23_cout_delS (RClockNSP rap (a t) (at)) = 

R_c23_cout_delS (a (t+1)))", 

RBWRITE_TAC [R_e23_cout_dalS j RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) JJ 

let R_int2_enS_THM = prova_thm 
( 'R_int2_enS' , 

" I (t itima) (rap i A REP_ty) (a itima->r_atata) (a i time->r_env) 

(p itime->r_out) . 

RBlock_OATE rap a a p 

(R_int2_enS (RClockNSP rap (a t) (at)) = R_int2_enS (a (t+1)))" 
REWRITE_TAC IR_int 2_enS j RBlock_HXP ; RClockNSF_BXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITB_TAC [ lemmal_apac ] 

);) 

let R_wrS_THM ■ prove_thm 
( ' R_wrS ' , 

"1 (t itima) (rap i*REP_ty) (a itime->r_atata) (a ttime->r_env) 

(p itima->r_out) . 

RBlock_OATE rap sap 
«■> 

(R_wrS (RClockNSP rep (a t) (at)) = R_wrS (a (t+1)))", 

REWRI TE_TAC [R_WTS j RBlock_EXP > RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)!! 

let R_cntlatch_delS_THM m prove_thm 
( 'R_cntlatch_delS ' , 

"1 (t itima) (rap t *REP_ty) (a i time->r_atate) (a itime->r_env) 

(p i time->r_out) . 

RBlock_OATE rap sap 

(R_cntlatch_delS (RClockNSP rep (a t) (at)) = 

R_cntlatch_dels (a (t+1)))", 

RBWRITE_TAC [R_cntlatch_delS ; RBlock_EXP; RClockNSP_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)»; 
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let R_ardy_del_S_THM = prove_thm 
( 'R_ardy_del_S ' , 

"1 (t itime) (rep t A REF_ty) (e itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_GATB rep e e p 
*as> 

(R_srdy_del_S (RClockNSF rep (s t) (e t ) ) = R_srdy_del_S (s (t+1)))", 
REWRITB_TAC IR_erdy_del_S ; RBlock_EXP ) RClockNSF„EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TACtl 

)!l 

let R_reg_eelS_THM = prove_thm 
( 'R_reg_aelS ' , 

"I (t itime) (rep t A REP_ty) (e itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_QATE rep a e p 

(R_reg_aelS (RClockNSF rep (a t) (e t)) = R_reg_aelS (a (t+1)))", 
REWRITB_TAC [R_reg_aelS j RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [) 

)n 

let R_ctrO_inS_THM = prove_thm 
( 'R_ctrO_inS' , 

"1 (t itime) (rep t A REP_ty) (a itime->r_atate) (e :time->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 
==> 

(R_ctrO_inS (RClockNSF rep (a t) (e t) ) = R_ctrO_inS (a (t+1)))", 
REWRITE_TAC [R_ctr 0_inS ; RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRXP_TAC 

THEN ASM_REHRITB_TAC[lemmal_apec] 

)I1 

let R_ctrO_mux_selS_THM = prove_thm 
( 'R_ctrO_mux_selS ' , 

"1 (t itime) (rep i A RBP_ty) (a itime->r_8tate) (e ttime->r_env) 

(p ttima->r_out) . 

RBlock_OATE rep a e p 

BB> 

(R_ctrO_mux_eelS (RClockNSF rep (at) (e t) ) = 

R_ctrO_mux_aelS (a (t+1)))", 

REWRITB_TAC IR_ctrO_mux_aelS ; RBlock_EXP ;RClockNSF_EXP ) 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [ lemmal_apec ] 

)l» 

let R_ctrO_irdenS_THM = prove_thm 
( 'R_ctrO_irdenS' , 

"1 (t itime) (rap i A REP_ty) (a itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 
=«> 

(R_ctrO_irdenS (RClockNSF rep (a t) (e t)) = R_ctrO_irdenS (a (t+1)))", 
REWRXTB_TAC (R_ctrO_irdenS ; RBlock_BXP » RClockNSF_EXP 3 
THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ lemmal_spec ; lemma2_apec] 

);; 

let R_ctrO_cryS_THM = prove_thm 
( ' R_ctrO_cryS ' , 

"! (t itime) (rep t A RBP_ty) (a itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_OATB rep a e p 
»*> 

(R_ctrO_cryS (RClockNSF rep (a t) (e t ) ) = R_ctrO_cryS (a (t+1)))", 
RBWRITB_TAC (R_CtrO_cryS; RBlock_EXP ) RClockNSF_EXP] 

THBN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [lemmal_apec ; lemma2_apec] 
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) n 

lot R_ctrO_newS_THM = prove_thm 
( 'R_ctrO_newS ' , 

"1 (t ttlme) (rop t A REP_ty) (s ttime->r_atata) (o i time->r_env) 

(p itime->r_out) . 

RBlock_GATB rap a a p 
•»> 

(R_ctrO_newS (RClockNSF rap (a t) (at)) = R_ctrO_nowS (e (t+1)))", 
REWRITB_TAC IR_ctrO_nawS> RBlock_BXP ; RClockNSF_EXP ] 

THBN REPEAT STRXP_TAC 

THEM ASM_RBWRITE_TAC [ leramal_spec ; lemma2_apec 1 

)>J 

lot R_ctrO_outS_THM = provo_thm 
( ' R_otr 0_outs ' / 

"1 (t itlma) (rap i A RBP_ty) (a itime->r_atata) (a < time->r_env) 

(p itime->r_out) . 

RBlock_OATB rop a a p 

an> 

(R_ctrO_outS (RClockNSF rap (a t) (at)) = R_ctrO_outS (a (t+1)))", 
RBWRITE_TAC (R_ctr0_OUtS ; RBlock_EXP ; RClockNSF_EXP ) 

THEN REPEAT STRIP_TAC 

THBN ASM_REWRITE_TAC ( lommal_apac ; lenma2_apec ] 

)»; 

lot R_ctrO_ordanS_THM = prova_thm 
( 'R_ctrO_ordenS • , 

"1 (t ttimo) (rap i A RBP_ty) (a itime->r_atate) (a itima->r_env) 

(p ttlao->r_out) . 

RBlock_OATE rap a a p 

1S> 

(R_ctrO_ordoiLS (RClockNSF rop (a t) (at)) = R_ctrO_ordonS (a (t+1)))" 
REWRITE_TAC (R_ctrO_ordonS ; RBlock_EXP ; RClockNSF_EXP ) 

THEN REPEAT STRIP_TAC 

THBN ASN_RBWRXTR_TAC t lemmal_apec ; lamsia2_apac ] 

)ll 

lot R_ctrl_lnS_THM « prove_thm 
( 'R_ctrl_inS', 

"1 (t itime) (rap i A REP_ty) (a !timo->r_atato) (a i tima->r_anv) 

(p itima->r_out) . 

RBlock_OATE rap a a p 
--> 

(R_ctrl_inS (RClockNSF rap (a t) (at)) = R_ctrl_inS (a (t+1)))", 
RBWRITB_TAC (R_ctrl_inS ; RBlock_EXP i RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THBN ASM_RBWRITB_TAC [ lansnal_apac ; lamma2_apec ] 

) ; i 

lot R_ctrl_jnux_aelS_THM c provo_thm 
( 'R_ctrl_rmir_ealS ' , 

"1 (t itlma) (rap i A RBP_ty) (a itimo->r_atato) (a t timo->r_onv) 

(p itlmo->r_out) . 

RBlock_OATE rap a a p 

==■> 

(R_ctrl_raux_aalS (RClockNSF rep (8 t) (at)) = 

R_ctrl_mux_aals (a (t+1)))", 

RBWRI TB_TAC (R_ctrl_raux_aalS ; RBlock_EXP; RClockNSF_EXP ] 

THBN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [lammal_spocj lamma2_apec] 

)ll 

lot R_ctrl_irdanS_THM » provo_thm 
( 'R_ctrl_irdanS' , 

"1 (t itlma) (rop i A REP_ty) (a itimo->r_atate) (a t time->r_env) 

(p itlmo->r_out) . 

RBlock_OATE rap sap 

(R_ctrl_irdonS (RClockNSF rap (a t) (at)) = R_ctrl_irdonS (a (t+1)))" 
REWRITB_TAC (R_Ct rl_lrdanS ; RBlock_EXP > RC loekNSF_BXP ] 

THEN REPEAT STRXP_TAC 
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THEN ASM_REWRITE_TAC [lemmal_apee; lemma2_apec] 

)n 

let R_ctrl_cryS_THM = prove_thm 
( 'R_ctrl_cryS', 

"l (t itime) (rep i A REP_ty) (e itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATB rep s e p 

(R_ctrl_cryS (RClockNSF rep (s t) (e t)) = R_ctrl_erys ( s (t+1)))", 
REWRITE_TAC [R_ctr l_cryS ; RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ lemmal_spec ; leitima2_apec] 

)>> 

let R_ctrl_newS_THM = prove_thm 
( 'R_ctrl_nawS' , 

"! (t itime) (rep t A REP_ty) (» itime->r_state) (e itime->r_env) 

(p itime->r_out) . 

RBlock_QATE rep s e p 

(R_ctrl_newS (RClockNSF rep (s t) (e t ) ) = R_ctrl_newS (a (t+1)))", 
RBWRITE_TAC [R_ctrl_newS > RBlock_BXP ; RClockNSF_KXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITE_TAC [ lemmal_spec ; lemma2_spec ] 

) II 

let R_ctrl_outS_THM = prove_thm 
( 'R_ctrl_outS ' , 

"I (t itime) (rep t A REP ty ) (a itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 

(R_ctrl_outS (RClockNSF rep (a t) (e t ) ) = R_ctrl_outS (a (t+1)))", 
RBWRITE_TAC (R_ctr l_outS , RBloek_EXP » RClockNSF_BXP ) 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ lemmal_apec ; lemma2_apec ] 

)>J 

let R_ctrl_ordenS_THM = prove_thm 
( 'R_ctrl_ordenS' , 

"1 (t itime) (rep i A REP_ty) (a itime->r_state) (e itime->r_env) 

(p itime->r_out) . 

RBlO 0 k_OATE rep a e p 

(R_ctrl_ordenS (RClockNSF rap (a t) (at)) = R_ctrl_ordenS (a (t+1)))", 
RBWRITB_TAC tR_ctr l_ordenS ; RBlock_BXP ( RC lockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [ lemmal_apec ; lemma2_apac ] 

) !) 

let R_ctr2_inS_THM = prove_thm 
( 'R_ctr2_inS' , 

"! (t itime) (rep i A REP_ty) (a itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_QATE rep a e p 
=■=> 

(R_ctr2_inS (RClockNSF rep (a t) (e t) ) = R_ctr2_inS (a (t+1)))", 
REWRXTE_TAC [R_Ctr2_inS J RBlock_EXP ;RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [lemmal_spec; lemma2_spec] 

);; 

let R_ctr2_mux_aelS_THM = prove_thm 
( 'R_ctr2_mux_aelS ' , 

“I (t itime) (rep i A HEP_ty) (a itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 

(R_ctr2_mux_aelS (RClockNSF rep (a t) (e t) ) = 

R_ctr2_mux_aelS (a (t+1)))", 

REWRITE_TAC [R_ctr2_raux_eelS ; RBlock_BXP ; RClockNSF_EXP ] 
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THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ lemmal.apec ; lemma2_apec ] 

);; 

let R_ctr2_irdenS_THM = prove_thm 
( ' R_ctr2_irdenS ' , 

"1 (t ttlma) (rep : A RBP_ty) (a i time->r_atate) (e itlme->r_env) 

(p :time->r_out) . 

RBlock_OATE rep a e p 

(R_ctr2_irdenS (RClockNSF rep (a t) (e t)) = R_ctr2_lrdenS (S’ (t+1)))", 
REWRITE_TAC [R_ctr2_lrdenS ; RBlock_BXP i RClockNSF_EXP ) 

THEN RBPBAT STRIP_TAC 

THEN ASM_REWRITB_TAC [ lemma lspec ; lemma2_apec ] 

)>» 

let R_ctr2_oryS_THM * prove_thm 
( 'R_ctr2_crys' , 

"1 (t ttime) (rep i A REP_ty ) (a : time- >r_st ate) (e ttime->r_env) 

(p >time->r_out) . 

RBlock_QATE rep a e p 
==> 

(R_etr2_cryS (RClockNSF rep (a t) (e t)) = R_ctr2_cryS (a (t+1)))", 
REWRITE_TAC [R_ctr2_cryS ; RBlock_EXP > RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RRWRITE_TAC [ lemmal_apec ; lemma2_spec ] 

);; 

let R_ctr2_newS_THM = prove_thm 
( ' R_etr2_newS ' , 

"1 (t (time) (rep i*REP_ty) (a !time->r_atate) (e :time->r_env) 

(p ttime->r_out) . 

RBlock_OATB rep a e p 
■»> 

(R_ctr2_newS (RClockNSF rep (a t) (e t)) = R_ctr2_newS (a (t+1)))", 
RENRITE_TAC [R_Ctr2_newS > RBlock_BXP > RClockNSF_EXP ] 

THEN RBPBAT STRXP_TAC 

THEN ASM_REWRITE_TAC [ lemmal_apec ; lemma2_spec ] 

);» 

let R_ctr2_outS_THM = prove_tbm 
( 'R_etr2_outS ' , 

"1 (t (time) (rep i A REP_ty) (a : time->r_etate) (e itlme->r_env) 

(p itime->r_out) . 

RBlock_3ATE rep a e p 

(R_ctr2_outS (RClockNSF rep (8 t) (e t) ) = R_ctr2_outS (a (t+1)))", 
REWRITE_TAC (R_Ctr2_OUtS; RBlock_BXP ; RClockNSF_EXP ] 

THEN RBPBAT STRXP_TAC 

THEN ASM_REWRITE_TAC [ lemmal„apec 1 lemnui2_apec ] 

);; 

let R_ctr2_ordenS_THM = prove_thm 
( ' R_etr2_ordenS • , 

"1 (t ttima) (rep t*REP_ty) (a :tlme->r_atate) (e itime->r_env) 

(p : time->r_out) . 

RBlock_OATE rep a e p 

(R_ctr2_ordenS (RClockNSF rep (a t) (e t)) = R_ctr2_ordenS (a (t+1)))", 
RBWRITE_TAC [R_ctr2_ordenS > RBloek_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRXTE_TAC (lemmal_apec i lenana2_apec ] 

)ll 

let R_ctr3_inS_THM m prove_thm 
( 'R_ctr3_inS' , 

"I (t ttime) (rep t A REP_ty) (a : time- >r_st ate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATE rep a e p 
«•> 

(R_ctr3_inS (RClockNSF rep (a t) (e t) ) = R_ctr3_inS (a (t+1)))", 
REWRITE_TAC (R_ctr3_inS ; RBlock_EXP ; RClockNSF_EXP ] 
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THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITE_TAC [lemmal_apec; lemma2_spac] 

)ll 

lot R_ctr3_mux_aelS_THM = prove_thm 
( 'R_ctr3_mux_aelS ' , 

* ! (t itime) (rep i A REP_ty) (a itima->r_atate) (e itime->r_env) 

(p ttime->r_out) . 

RBlock_GATE rep s e p 
==> 

(R_ctr3_mux_selS (RClockNSF rep (s t) (e t)) = 

R_ctr3_max_selS (s (t+l)))" # 

REMRITB_TAC (R_ctr3_mux_eelS j RBlock_BXP ; RCloekNSF_BXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC ( lemmal_apec ; lemma2_apec] 

);; 

let R_ctr3_irdenS_THM = prove_thm 
( 'R_otr3_irdenS ' , 

"1 (t itime) (rap i A RBP_ty) (a itime->r_atate) (e itime->r_env) 

(p :time->r_out ) . 

RBlock_GATB rep a e p 

(R_otr3_irdenLS (RClockNSF rep (a t) (e t)) = R_ctr3_irdenS (a (t+1)))" 
REWRXTB_TAC [R_ctr3_irdenS ) RBlock_EXP ) RClockNSF_BXP ] 

THEN RBPBAT STRIP_TAC 

THEN ASM_RBWR1TB_TAC [ lemmal_apec > lemma2_apec ] 

)n 

let R_ctr3_cryS_THH = prove_thm 
( 'R_ctr3_cryS ' , 

"1 (t itime) (rep i A REP_ty) (a itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_GATB rep a a p 

s«> 

(R_ctr3_cryS (RClockNSF rep (a t) (e t)) = R_ctr3_cryS (a (t+1)))", 
REWRITB_TAC [R_ctr3_cryS ; HBlock_EXP ; RClockNSF_EXP ] 

THEN RBPBAT STRIP_TAC 

THEN ASM_RBWRXTB_TAC [ lemmal_apec ; lemma2_apec ] 

);; 

let R_ctr3_newS_THM « prove_thm 
( 'R_ctr3_newS ' , 

"! (t itime) (rep i A REP_ty) (a itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_GATB rep a a p 
==> 

(R_ctr3_newS (RClockNSF rep (a t) (a t ) ) = R_etr3_newS (a (t+1)))", 
RBWRITB_TAC [R_ctr3__newS ; RBlock_EXP ; RClockNSF_BXP] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITB_TAC [lemmal_apec ; lamma2_apec ] 

)>l 

let R_ctr3_outS_THM •= provo_thm 
( 'R_ctr3_outS ' , 

"I (t itime) (rep t A REP ty ) (a itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_GATE rep a a p 
= = > 

(R_ctr3_outS (RClockNSF rep (a t) (at)) a R_ctr3_outS (a (t+1)))", 
REWRITE_TAC (R_ctr3_outS j RBlock_BXP > RClockNSF_BXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITB_TACtlemmal_apecj lemma2_apec] 

) II 

let R_ctr3_ordenS_THM = prov#_thm 
( ' R_ctr 3_ordenS ' , 

"I (t itime) (rep t A REP_ty) (a itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_GATB rep a e p 

(R_ctr3_ordenS (RClockNSF rep (a t) (a t ) ) = R_ctr3_ordenS (a (t+1)))" 
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RBHRXTB_TAC [R_ctr3_ordenS ; RBloek_BXP ; RClockNSF_BXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITB_TAC [ lemmal_apec ; lemma2_apec ] 

);; 

lot R_icr_loadS_THM = prove_thm 
( 'R_icr_loadS ' , 

"! (t itime) (rap i A RBP_ty) (s : time->r_atate) (e «time->r_env) 

(p itimo->r_out) . 

RBlock_OATB rap sap 

(R_icr_loadS (RClockNSF rap (a t) (at)) = R_icr_loadS (s (t+1)))" 
RBWRITB_TAC [R_lcr_loadS J RBlock_EXP ; RClockNSF_BXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRXTB_TAC [ lemmal_spac ; lamma2_spec ] 

);> 

lot R_±cr_oldS_THM « provo_thm 
( 'R_icr_oldS' , 

"I (t i time) (rap i A REP_ty) (a i timo->r_atato) (e !time->r_env) 

(p itime->r_out) . 

HBlock_OATE rep sop 

(R_icr_oldS (RClockNSF rap (a t) (at)) = R_icr_oldS (a (t+1)))", 
REWRITE_TAC [R_icr_oldS ; RBlock_EXP ; RCloekNSF_EXP ] 

THEN REPEAT STRXP_TAC 

THEN ASH_RBNRXTB_TAC [ lemma l_spec ; lemma2_apoc ] 

);» 

lot R_icr_maakS_THM = prova_thm 
( , R_icr_ J maakS ' , 

"1 (t itimo) (rap t A REP_ty) (a t tima->r_stato) (o : timo->r_onv) 

(p i tima->r_out ) . 

RBlock_9ATB rap a a p 

■«> 

(R_icr_maakS (RClockNSF rop (a t) (o t) ) = R_icr_maakS (a (t+1)))" 
RBWRITE_TAC [R_icr_maakS / RBlock_EXP> RClockNSF_EXP ] 

THEN REPEAT STRXP.TAC 

THEN ASN_RBWRXTB_TAC [ lemmal_apec ; lanuna2_apoc ] 

)>l 

lot R_icrS_THH « provo_thm 
( <R_lcrS' , 

"I (t itimo) (rap i A REP_ty) (a :time->r_atate) (e :timo->r_env) 

(p i timo->r_out) . 

RBlock_OATB rap sap 

■«> 

(R^lcrS (RClockNSF rep (a t) (at)) * R_icrS (a (t+1)))", 
RBWRITE_TAC [R_icrS » RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRXP_TAC 

THEN ASM_REWRITE_TAC [ lammal_apac ; lamma2_apac ] 

);; 

lot R_icr_rdenS_THM = provo_thm 
( 'R_icr_rdenS ' , 

"1 (t itimo) (rap i A REP_ty) (a i timo->r_atato) (a itima->r_anv) 

(p itlma->r_out) . 

RBlock_GATB rep a o p 

■■> 

(R_icr_rdenS (RClockNSF rap (a t) (e t) ) = R_icr_rdenS (a (t+1)))" 
RBWRITE_TAC [R w icr_rdenS; RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRXP_TAC 

THEN ASN_REHRXTB_TAC [ lemmal_apec ; lemma2_apec ] 

)>> 

lot R_ccrS_THM = prova_thm 
( 'R^ccrS' , 

"! (t itimo) (rap i A REP_ty) (a i timo->r_ state) (a itima->r_anv) 

(p itimo->r_out) . 

RBlock_OATB rap a a p 

(R_ccrS (RClockNSF rap (a t) (at)) = R_ccrS (a (t+1)))". 
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REWRITE_TAC [R_ccrS ; RBlock_EXP ; RClockNSF_EXP ) 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [lemmal_8pec; lemma2_8pec] 

)l> 

let R_ccr_rdenS_THM = provs_thm 
{ ' R_ccr_rdenS ' , 

"! (t itime) (rap t A REP_ty) (s itima->r_Btate) (a 1 1 ime - >r_env ) 

(p ttlme->r_out) . 

RBlock_GATB rep sap 
«*> 

(R_cer_rdenS (RClockNSF rap (a t) (at)) = R_ecr_rdenS (a (t+1)))" 
RBWRITE_TAC [R_ccr_rdenS ; RBlock_EXP ; RClockNSF_SXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ lemmal_apeo ; lemma2_spec ] 

);; 

let R_gcrS_THM = prove_thm 
( ' R_gcrS ' , 

"I (t itime) (rap t A RBP_ty) (8 itima->r_8tate) (a itime->r_env) 

(p itlme->r_out) . 

RBlock_OATE rap a a p 
=«> 

(R_gcr3 (RClockNSF rap (b t) (at)) = R_gcrS (s (t+1)))", 
RBWRITE_TAC [R_gcrS ; RBlock_EXP ) RC lockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [lemmal„8pac; lemma2_spec] 

)M 

let R_gcr_rdanS_THM = prove_thm 
( ' R_gcr_rdenS ' , 

"J (t itima) (rep i *REP_ty) (a itime->r_8tate) (a :time->r_anv) 

(p ttime->r_out) . 

RBlock_OATE rap sap 
*=> 

(R_gcr_rdenS (RClockNSF rep (8 t) (a t ) ) = R_gcr_rdenS (s (t+1)))" 
REWRITB_TAC [R_gcr_rdanS; RBlock_EXP > RClockNSF_BXP] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITE_TAC [ lammal_spec ; lamma2_spec ] 

) )> 

let R_srS_THM = prove_thm 
( 'R_srS ' , 

" 1 (t itima) (rap i*REP_ty) (b itima->r_8tata) (a itima->r_anv) 

(p itima->r_out) . 

RBlock_OATB rap sap 

(R_srS (RClockNSF rap (s t) (at)) « R_srS (s (t+1)))", 

RBWRITE_TAC IR_arS > RBlock_EXP ; RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRXTE_TAC ( lemmal_Bpec > lamma2_spec ] 

)>< 

let R_ar_rdenS_THM ■ prova_thm 
( , R_sr_rdenS < , 

"1 (t itime) (rap i A REP_ty) (s itima->r_8tata) (a itima->r_env) 

(p itima->r_out) . 

RBlock_OATB rep a a p 
*■> 

(R_ar_rdans (RClockNSF rap (a t) (at)) = R_ar_rdanS (a (t+1)))", 
RBWRITB_TAC (R_ar_rdanS ; RBlock_EXP i RClockNSF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITB_TAC [ lammal_apac ; lamma2_apac J 

) ; ; 

let I_ad_outO_THM ■ prove_thm 
( ' X_ad_outO ' , 

"1 (t itime) (rep t A REP_ty) (s itime->r_Btate) (a itime->r_env) 

(p t time->r_out ) . 

RBlock_OATE rep sap/\t>0 
»a> 

(I_ad_outO (RClockOF rep (e t) (at)) = X_ad_outO (p t))". 
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REPBAT STRIP_TAC 

THEN IMP_RES_TAC lemmaCF 

THEN UNDISCH_TAC "RBlock_QATE rep s a p" 

THEN REWRI TE_TAC [I_ad_outO;RBlock_EXP;RClockOF_EXP] 

THEN REPBAT STRIP_TAC 

THEN ASM_REWRITB_TAC [ lemmal ; lemma2 ; lemma3 ] 

THEN POP_ASSUM_IjIST (MAP_EVBRY (\th. ALL_TAC) ) 

THEN ASSOMB_TAC ( REWRITE_RULE [] (RBDUCE_CONV "0<=31") ) 

THEN IMP_RES_TAC (SPECL ["31"; "0"] OFFnP_Offn) 

THEN XMP_RES_TAC (SPECL ["31"; "0"] ONnP_0£fn) 

THEN XMP_RES_TAC (QEN_ALL( SPECL ["£ iwordn"; "31"; "0"] OFFnP_BtJSN)-> 
THEN ASM_CASES_TAC "R_ctrO_lrdenS ( ( ■ ! time->r_atate) t) " 

THEN ASM_RBWRITE_TAC [wordnVAL_BOSN_IDENT ; wordnVAL_0£ £n; ONnP_BUSN] 
THEN ASM_CASES_TAC "R_ctrO_ordenS ( (s i time->r_8tate) t)" 

THEN ASM_RBWRITE_TAC [wordnVAL_BUSN_IDENT;WordnVAL_0££n;0NnP_BUSN] 
THEN ASM_CASES_TAC "R_ctrl_irdenS ( (s i time->r_state) t)" 

THEN ASM_RBWRITE_TAC [wordnVAL_BUSN_IDENT;wordnVAL_Of fn;ONnP_BOSN] 
THEN ASM_CASBS_TAC "R_otrl_ordenS ( (a i time->r_8tate) t)" 

THEN ASM_RBWRITE_TAC [wordnVAL_BDSN_IDENT ; wordnVAL_0£ £n; ONnP_BDSN ] 
THEN ASM_CASES_TAC "R_ctr2_irdenS ( (a i time->r_atate) t)" 

THEN ASM RBWR ITE_TAC [wordnVAL_BUSN_IDENT;wordnVAL_0££n;ONnP_BUSN] 
THEN ASM_CASES_TAC "R_otr2_ordenS ( (a t time->r_state) t) " 

THEN ASM_RBWRITE_TAC [wordnVAL_BUSN_IDBNT;wordnVAL_0£fn;ONnP_BUSN] 
THEN ASM_CASES_TAC "R_ctr3_irdenS ( ( a : t±me->r_8tate) t)" 

THEN ASM_REWRITB_TAC twordnVAL_BOSN_IDBNT;wordnVAL_0£fn;ONnP_BUSN] 
THEN ASM_CASBS_TAC "R_ctr3_ordenS ( (a i time->r_atate) t) " 

THEN ASM_REWRITE_TAC [ wordnVAL_BUSN_IDENT ; wordnVAL_Of f n ; ONnP_BUSN ] 
THEN ASM_CASBS_TAC "R_icr_rdenS ( (a i time->r_state) t)" 

THEN ASM_REWRITE_TAC [wordnVAL_BUSN_IDBNT;WOrdnVAL_0f fn;ONnP_BUSN] 
THEN ASM_CASBS_TAC "R^ccr_rdenS ( (a t time->r_state) t)" 

THEN ASM_RBWRITB_TAC [wordnVAL_BDSN_IDENT ; wordn.VAL_0£ £n; ONnP_BDSN] 
THEN ASM_CASBS_TAC "R_gcr_rdenS ( (a i time->r_atate) t)" 

THEN ASM_REWRITB_TAC [wordnVAL_BUSN_IDENT ; wordnVAL_0£ £n; ONnP_BDSN] 
THEN ASM_CASES_TAC "R_ar_rdenS( (a:time->r_8tate) t) " 

THEN ASM_RBWRITB_TAC [wordnVAL_BUSN_IDENT; wordnVAL_0£ £n; ONnP_BDSN] 

);» 

let I_ardy_0_THM « prove_thm 
( ' l_ardy_0' , 

"! (t itlme) (rep : *RBP_ty) (s i time->r_state) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATB rep a e p 

8S> 

(l_ardy_0 (RClockOF rep (at) (e t ) ) = l_ardy_0 (p t))", 
RBWRITE_TAC [ l_srdy_0 ; RBlock_EXP ; RC lockOF_BXP ] 

THEN REPEAT STRIP.TAC 

THEN ASM_RBWRITE_TAC [ lemmal ; lemma2 ; lemma3 ] 

);; 

let Int0_O_THM = prove_thm 
( 'Int0_O', 

"! (t itlme) (rep i A REP_ty) (a itime->r_atate) (e s time->r_env) 

(p ttime->r_out) . 

RBlook_OATE rep a a p 

(IntO_0 (RClockOF rep (a t) (at)) = Int0_O (p t ) ) " , 

REWRI TE_TAC [ Int 0_O ; RBlock_EXP ; RClockOF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITE_TAC [lemmal; lemma2] 

) ;; 

let IntlO_THM « prove_thm 
( 'IntlO' , 

"1 (t (time) (rep i*REP_ty) (a :time->r_atate) (e :time->r_env) 

(p itime->r_out) . 

RBlock_OATB rap a a p 
•» 

(IntlO (RClockOF rep (a t) (e t) ) = IntlO (p t))", 

RBWRITE_TAC [ Int 10 ; RBlock_EXP ; RC lockOF_BXP ] 

THEN REPEAT STRIP.TAC 

THEN ASM_REWRITB_TAC [ lemmal ; lemma2 ] 

) »; 
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let Int20_THM « prove_thm 
( ' Int20 ' , 

"! (t itime) (rep t A REP_ty) (s itime->r_8tate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATE rep Sep 
**> 

(Int20 (RClockOP rep (s t) (e t)) = Int20 (p t))", 

REWRITE_TAC [Int20; RBlock_EXP J RClockOF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITE_TAC [ lemmal ; lemma2 ] 

);; 

let Xnt3_0_THM ■ prove_thm 
( 'Xnt3_0' , 

"1 (t itime) (rep i A REP_ty) (s itlme->r_state) (e ttime->r_env) 

(P itime->r_out) . 

RBlock_OATE rep s e p 
»«> 

(Int3_0 (RClockOP rep (s t) (e t) ) = Int3_0 (p t))", 

RBWRITE_TAC [Int3_0; RBlock_BXP ; RClookOF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ lemmal ; lemma2 ] 

) II 

let CcrO_THM = prove_thm 
( ' CcrO ' , 

"! (t itime) (rep i A REP_ty) (s ttlme->r_state) (e itime->r_env) 

(p s time->r_out) . 

RBlock_QATE rep s e p 

(CcrO (RClockOP rep (e t) (e t)) = CcrO (p t))", 

REWRITE_TAC [CcrO » RBlock_RXP > RClockOF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REHRXTE_TAC[ lemmal ;lemma2] 

)>; 

let LedO_THM > prove_thm 
( ' LedO ' , 

"1 (t itime) (rep i A REP_ty) (a itime->r_state) (e :time->r_env) 

(p :time->r_out) . 

RBlock_QATE rep s e p 

(LedO (RClockOP rep (s t) (e t ) ) = LedO (p t ) ) " , 

RBWRI TE_TAC [LedO; RBlock_BXP » RClockOP_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_KBWRXTB_TAC[ lemmal ;lemma2] 

);; 

let Reeet_errorO_THM = prove_thm 
( 'Reaet_errorO ' , 

"1 (t itime) (rep t A REP_ty) (a itime->r_atate) (e itime->r_env) 

(p itime->r_out) . 

RBlock_OATB rep s e p 
==> 

(Reaet_errorO (RClockOP rep (s t) (e t ) ) = Reaet_errorO (p t))" 
RBWRITB_TAC [Reaet_errorO ; RBlock_EXP ; RClockOF_BXP] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [ lemmal ) lemma2 ] 

);; 

let Pmm_invalidO_THM = prove_thm 
( ' PmnuinvalidO ' , 

"! (t itime) (rep t A REP_ty) (a itime->r_atate) (e ttime->r_env) 

(p itime->r_out) . 

RBlock_OATB rep a e p 

SB> 

( Pmm_invalldO (RClockOP rep (at) (e t ) ) = Pmm_invalidO (p t))" 
REWRITE_TAC [Pmm_invalidO| RBlock_EXP; RClockOF_EXP] 

THEN REPEAT STRIP_TAC 

THEN ASM_RBNRXTE_TAC [ lemmal > lemma2 ] 

)ll 
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3.4 C-Port Clock-Level Verification 


The theory cclock_ver and file ccjhms.ml contain the C-Port clock-level correctness proof. 


Fil«: 
Author i 
Data: 


cc lock_ver . ml 

(c) D.A. Fura 1992-93 

4 March 1993 

% 


sat_flag ('timing', true);; 

set search path ( sear ch_pat h ( ) 0 [ ' /home/elvis6/dfura/f tep/piu/hol/cport / ' j 

' /home/elvis6/dfura/f tep/piu/hol/lib/ ' ; 

' /home/elvis6/df ura/hol/ml/ ' ; 

' /home/elvis6/df ura/hol/Library/abs_theory/ ' ; 
' /home/elvla6/dfura/hol/Llbrary/tlme/ ' ; 

' /home / elvis 6 /df ura/hol /Library /OI/ ' ; 

' /home/elvis6/dfura/hol/Library/tools/ ' 

])j; 

system ' rm cclock_ver . th ' ; » 
new_theory ' cclock_ver ' ; ; 
loadt ' abs_th.eory ' ; i 
loadf ' aux_def s';; 

map naw_parent [ 'piuaux_def ' ; 'wordn_de£ ' ; 'array_de£ ' ; 

'c£sms_def '; 'gates_de£l' ; 'latches_def ' ; 'f£s_def '; 

' countars_de£ ' ; ' lnaq ' ] ; ; 

map load_parent [ ' caux_def ' ; ' cblock_def ' ; ' cclock_def ' ] ; ; 
load parent ' time_abs ' ; ; 

let RBP_ty m abs_type_in£o (thaoram 'piuaux_de£' 'REP');; 

let CC_OF_REW = theorem 'cclock_de£' 'CC_OF_REW' ; ; 
let CBloek_BXP = theorem 'cblock_de£' 'CBlock_BXP' ; ; 

let MSTART = "WORDM 2 4";; 
let MEND = -WORDM 2 5";; 
let MRDY - "WORDN 2 6";; 
let MWAIT - "WORDN 2 7";; 
let MABORT a "WORDM 2 0";; 

let SACK = "WORDN 2 5";; 
let SRDY = "WORDN 2 6";; 
let SWAIT = "WORDN 27";; 
let SABORT = "WORDN 2 0";; 

lot CC_NSF_BXP = BXPAND_LET_ROLB CC_NSF_RBW; ; 
let CC_OF_EXP = EXPAND_LET_RDLE CC_OF_REW; ; 

loadt ' cc_thms . ml ' ; ; 

let C_Clock_Correct = prove_thm 
( ' C_Clock_Correct ' , 

"! (t :time) (s :tlme->cc_state) (e :time->cc_env) (p :time->cc_out) • 
CBlock_QATB rep s e p 
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==> 


CCSat_Corraot rep a a p", 

REPEAT STRIP_TAC 

THEN REWRITE_TAC [CCSat_Correct] 

THEM XNDUCT_THEN (prove_induct ion_thm CCI) ASSUMB_TAC 
THEN QBN_TAC 

THEN RBWRITE_TAC [CC_Correct)CC_Exac;CC_PreC;CC_PoatC] 

THEN CONJ_TAC 
THENL [ 

% Subgoal l! "8(t + 1) = CC_NSF(s t) (a t)" % 

SUBST_TAC [SPEC "(a (t+1) ) ico_state" CCState_Seleetora_Work] " 
THEN IMP_RES_TAC (SYM_RULB C_mf am_a t at e_THM ) 

THEN IMP_RBS_TAC <SYM_RULB C_mf am_8rdy_en_THM) 

THEN IMP_RES_TAC ( SYM_RULE C_mf a m_D_ THM ) 

THEN IMP_RES_TAC (SYM_RULE C_m£airu3rant_THM) 

THEN IMP_RBS_TAC (SYM_RULE C_m£am_rat_THM) 

THEN IMP_RBS_TAC ( SYM_RULB C_mf am_busy_THM) 

THEN IMP_RBS_TAC (SYM_RULS C_mf am_write_THM) 

THEN IMP_RBS_TAC ( SYM_RULE C_m£am_crqt_THM) 

THEN IMP_RBS_TAC (SYM_RULE C__mf am_hold_THM) 

THEN IMP_RBS_TAC (SYM_RULB C_mf am_laat_THM) 

THEN IMP_RES_TAC ( SYM_RULB C_mf am_lock_THM) 

THEN IMP_RBS_TAC ( SYM_RDLB C_mf aift_lock_THM) 

THEN IMP_RES_TAC ( SYM_ROLE C_m£am_invalid_THM) 

THEN IMP_RBS_TAC (SVM_RULE C_8f am_8tate_THM) 

THEN XMP_RES_TAC ( SYM_RCLE C_a£am_D_THM) 

THEN IMP_RES_TAC (SXM_ROLE C_8f am_ffraat_THM) 

THEN IMP_RES_TAC ( SYM_ROLE C_a£am_rat_THM) 

THEN IMPJRBS_TAC ( S YM_RULE C_a£am__writa_THM) 

THEN IMP_RBS_TAC (SYM_RDLB C_a £ am_addr a a a e d_THM ) 

THEN IMP_RBS_TAC (SYM_RDLE C_a £ am_hlda_THM ) 

THEN IMP_RES_TAC ( SYM_ROLE C_a£am_ma_THM) 

THEN XMP_RE3_TAC ( SYM_RCLB C_e£sm_atate_THM) 

THEN IMP_RES_TAC ( S VM_RULB C_a£am_cale_THM) 

THEN IMP_RE S_TAC (STMJROLE C_af am_laat„THM) 

THEN IMP_RES_TAC ( SYM_RULE C_a£anumala_THM) 

THEN IMP_RES_TAC (SYM_RDLE C_a£am_rala_THM) 

THEN IMP_RBS_TAC ( SYM_RULE C_a£am_ardy_THM) 

THEN IMP_RBS_TAC (SVM_RDLE C_e£am_rat_THM) 

THEN IMP_RBS_TAC (SYMJMJLE C_lock_in_THM) 

THEN IMP_RBS_TAC (S1M_RDLB C_laat_in_THM) 

THEN IMP_RES_TAC (STM_RDLE C_aa_THM) 

THEN IMP_RBS_TAC (SYM_RCLE C_clkA_THM) 

THEN IMP_RBS_TAC ( S YM_RDLE C_laat_OUt_THM) 

THEN IMP_RES_TAC (SYMJRULE C_aidla_dal_THM) 

THEN IMP_RES_TAC ( SYM_RULE C_mrqt_dal_THM) 

THEN IMP_RBS_TAC (STM_RULB C_hold_THM) 

THEN IMP_RBS_TAC ( SYM_RULB C_COUt_0_le_dal_THM) 

THEN IMP_RBS_TAC ( SYM_RULB C_cin_2_la_THM) 

THEN IMP_RES_TAC ( SVHJMJLB C_mrdy_del_THM) 

THEN IMP_RBS_TAC (SYMJRULE C_iad_en_s_dal_THM) 

THEN IMP_RBS_TAC ( SYM_RULE C_wrdy_THM) 

THEN IMP_RHS_TAC (SYM_RCLE C_rrdy_THM) 

THEN IMP_RES_TAC ( S YM_RULB C_par ity_THM ) 

THEN IMP_RES_TAC ( SYM_RULB C_aource_THM) 

THEN IMP_RES_TAC ( S YM_RDLE C_data_in_THM) 

THEN XMP_RES_TAC ( SYM_RULB C_b i z ewxbe_THM ) 

THEN IMP_RES_TAC ( SYM_RULB C_iad_OUt_THM) 

THEN IMP_RES_TAC ( SYM_RULB C_alaO_THM) 

THEN IMP_RBS_TAC ( SYM_RULB C_a3a2_THM) 

THEN IMP_RES_TAC ( SYM_RULB C_iad_in_THM) 

THEN IMP_RES_TAC (SYM_RULB C_wr_THM) 

THEN ASM_REWRI TE_TAC 

[SPEC "CC_NSF (rapt *REP_ty) ( (a s time->cc_etate) t) 

( (eitime->cc_anv) t)" 

( SYM_RULE CCState_Selectora_Work) ] 

I 

% Subgoal 2s "p t = CC_OP{a t) (a t)" % 

SUBST_TAC [SPEC " ( (ps t ime->cc_out ) t)" CCOut_Selectora_WorkJ 
THEN IMP_RBS_TAC ( SYM_RDLB I_ognt_THM) 

THEN IMP_RES_TAC ( SYM_RULB I_mrdy_out_THM) 

THEN IMP_RBS_TAC ( SYM_RULB I_hold_THM) 
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THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 

THEN 


IMP„RBS_TAC (SYM_ROLB I_rale_out_THM) 
IMP_RBS_TAC (SYM_RULE I_male_OUt_THM) 
IMP_RES_TAC ( SYM_ROLE I_last_out_THM) 
XMP_RES_TAC (SYMJMJLB I_ardy_out_THM) 
IMP_RBS_TAC ( S YM_RULB I_ad_OUt_THM) 

IMP_RBS_TAC ( SYM_RULE I_be_out_THM) 

IMP_RES_TAC (STMJROLE CB_rqt_out_THM) 
IMP_RBS_TAC ( SYM_RDLE CB_m»_out_THM) 

IMP_RBS_TAC (SYM_RDLB CB_as_OUt_THM) 

IMP_RBS_TAC ( SYM_RULE CB_ad_out_THM) 
IMP_RES_TAC ( SYM_RULB C_as_out_THM) 

XMP_RES_TAC ( SYM_ROLE Diaabla_writa«_THM) 
XMP_RES_TAC ( SYM_ROLE CB_parity_THM) 
ASM_RBWRITE_TAC 

[SPEC "CC_OF (rapt *REP_ty) ( (at time->cc_state) 
( (eitime->cc_env) t)" 

( SYM_RULE CCOut_Seleetors_Wor)c) ] 


t) 


] 

)»; 


close_theory ( ) ; ; 


File: 
Author t 
Data i 


cc_thms .ml 

(c) D.A. Fura 1992-93 
3 March 1993 


let C_mf 8m_stataS_THM = TAC_PROOF 

(([]. 

"! (t itlme) (rap i A RBP_ty) (s !tlroe-»cc_atata) (a !time->ec_anv) 

(p itime-»cc_out) . 

CBlock_GATB rap sap 
*=> 

(C_mf sm_stateS (CC_NSF rap (s t) (at)) = C_mf 8m_8tateS (s (t+l)))")< 
REWRITE_TAC [C_mf am_stataS » CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

);; 

let C_m£sm_erdy_enS_THM = TAC_PROOF 

(([], 

"! (t itlme) (rep i *REP_ty) (s :time->cc_state) (e :time->cc_env) 

(p itlma->cc_out) . 

CBlock_GATE rap sap 

■ s> 

( C_m£ sm_s rdy_anS (cc_NSF rep (s t) (e t) ) = C_mf sm_srdy_enS (s (t+1)))"), 
REWRITE_TAC [C_mf sm_srdy_enS ; CBlock_EXP » CC_NSF_EXP 1 
THEN REPEAT STRXP.TAC 
THEN ASM_RBNRXTE_TAC[] 

)ll 

let C_mf am_DS_THM » TAC_PROOF 

(([], 

"! (t itlme) (rap i *RBP_ty) (s itlme->cc_state) (e ttime->cc_env) 

(p itlma->cc_out) . 

CBlock_GATE rap sap 

(C_m£sm_DS (CC_NSF rap (s t) (at)) = C_mfsm_DS (s (t+1)))"), 

REWRITE_TAC [C_mf am_DS ; CBlock_EXP ; CC_NSF_EXP 3 
THEN REPEAT STRXP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

);; 

lot C_m£ sm_grant S_THM « TAC_PROOF 

(([]. 

"1 (t itlme) (rep t A REP ty ) (s itlme->cc_state) (a itime->cc_env) 
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(p itime->cc_out) . 

CBlock_GATE rap sap 

SB> 

(C_mfsKL.gr amts (CC_NSF rap (s t) (at)) = C_mf sm_grantS (s (t+1)))") 
RBWRITB_TAC [C_mf am_grantS; CBloclc_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) IS 

let C_mf am_rstS_THM = TAC_PROOF 

(<[], 

"I (t itlme) (rep t *RBP_ty) (a itime->cc_state) (a ttime->cc_env) 

(p :time->ec_out) . 

CBlock_GATB rap sap 

(C_mfsm_rstS (CC_NSF rep (s t) (at)) = C_mfsm_rstS (s (t+1)))"), 
KBWRITE_TAC [C_mf snv_rstS ; CBlook_EXP ; CC_NSF_EXP 1 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

) ;; 

let C_mf am_buayS_THM = TAC_PROOF 

((C), 

"! (t itlme) (rep t *REP_ty) (s itime->cc_state) (a :time->cc_env) 

(p :tima->oc_out) . 

CBlock_GATB rep sap 

8B> 

(C_mf sm_busyS (CC_NSF rap (s t) (at)) = C_mf am_busyS (s (t+1)))"), 
RBWRITE_TAC [C_mf sm_busyS j CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

) ;; 

let C_mf sm_wr i t a S_THM = TAC_PROOF 

(([], 

"1 (t itlme) (rep t *REP_ty) (a itime->oc_stata) (a ttime->cc_env) 

(p itime->cc_out) . 

CBlock_GATB rap a a p 
■=> 

(C_mf anL.writaS (CC_NSF rep (a t) (at)) = C_mf am_writoS (a (t+1)))") 
REWRITB_TAC [C_mf sm_wrltaS » CBlook_BXP » CC_NSF_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)ll 

let C_mf am_c rqt_S_THM » TAC_PROOF 

(([], 

"! (t itlme) (rep t A REP_ty) (a itlme->oc_state) (a itime->cc_env) 

(p itlme->ec_out) . 

CBlock_GATE rep sap 
»■> 

(C_mf am_crqt_S (CC_NSF rep (a t) (a t)) = C_mf am_crqt_S (a (t+1)))") 
RBWRITB_TAC [C_mf Bnv_crqt_S ; CBlock_EXP ; CC_NSF_BXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBMRXTE_TAC t ] 

)>> 

let C_mfam_hold_S_THM = TAC_PROOF 

((t), 

"1 (t itlme) (rap i *RBP_ty) (a itime->cc_stata) (a itime->cc_anv) 

(p itima->cc_out) . 

CBlock_GATB rap sap 

( C_mf sm_hold_S (CC_NSF rap (s t) (at)) = C_mf sm_hold_S (s (t+1)))") 
REWRITB_TAC [C_mf am_hold_S j CBlook_EXP ; CC_NSF_EXP 1 
THEN REPEAT STRXP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)>J 

let C_rnfsm_last_S_THM = TAC_PROOF 

(([], 

"1 (t itlme) (rep i*REP_ty) (s itlma->ec_stata) (a itima->cc_env) 
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(p itime->cc_out) . 

CBlockJSATB rap sap 
=«> 

( C_jnf sm_last_S (CC_NSF rap (s t) (at)) = C_mf sm_last_S (s (t+1) ))") , 
REWRITE JTAC ( C_mf Bm_las t_S ; CBloek_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

);; 

let C_mf sm_lock_S_THM = TAC_PROOF 

<((], 

"i (t itime) (rap t A REP_ty) (s : tima->cc_state) (a itime->cc_env) 

(p itime->oc_out) . 

CBlockJJATE rap sap 

u> 

(Cjnf sm_lock_S (CC_NSF rep (s t) (at)) = C_mf sm_lock_S (s (t+1)))"), 
REWRITE_TAC [C_mf sm_lock_S > CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRIPJTAC 
THEN ASM_REWRITE_TAC [ ] 

)»/ 

let C_mfam_SSS_THM = TAC_PROOF 

(( (], 

"1 (t itlma) (rap i*REP_ty) (s :tima->cc_stata) (a stime->cc_env) 

(p itima->cc_out) . 

CBlock_OATE rap Sep 

«a> 

(C_mf sm_ssS (CC_NSF rep (s t) (at)) = c__mf am_soS (s (t+1)))"), 
RBWRXTE_TAC [C_mfsm_88S; CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)>> 

let C_m«sm_iavalidS_THM = TAC_proof 

(( [], 

"I (t itlma) (rap i A RBP_ty) (s itlme-»cc_st«te) (e itlme->cc_an.v) 

(p : t ime - > cc_out ) . 

CBlock_OATE rap sap 

(C_mf sm_invallds (cc_NSF rap (s t) (at)) = C_m£sm_invalids (s (t+1)))"), 
REWRITE_TAC [ C_mf sm_invalidS ; CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);» 

let C_s£sm_stataS_THM = TAC_PROOF 

(( [], 

"! (t itlma) (rap i A REP ty) (s itima->cc_state) (a itima->cc_anv) 

(p i tima->cc_out ) . 

CBlock_GATB rap sap 

(C_af sm_stataS (CC_NSF rap (s t) (at)) = C_sfsm_stateS (s (t+1)))"), 
REWRITE_TAC [C_sf sm_stataS ; CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let C_S f sm_DS_THM = TAC_PROOF 

(((], 

"! (t itlma) (rep t A RBP_ty) (s itlma->oc_state) (a itlme->oo_env) 

(p ttime->cc_out) . 

CBlock_GATE rap sap 
sa> 

(C_s£em_DS (CC_NSF rap (s t) (at)) = C_sfsnv_DS (s (t+1)))"), 

RBWRITEJTAC [C_S £ s«n_DS » CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIPJFAC 
THEN ASM_REWRITE_TAC [ ] 

) ;; 

let C_s£sm_flraatS_THM n TAC_PROOF 

(( M, 

"1 (t itlma) (rap i A RBP_ty) (s itlme->oc_state) (a i time->cc_env) 
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(p ttime->cc_out) . 

CBlock_OATE rep a e p 
==> 

(C_af emigrants ( CC_NSF rep (s t) (e t ) ) = C_sf sm_grants (s (t+1) ) ) " ) , 
RBWRITB_TAC (C_af snuffrantS ; CBlock_EXP ; CC_NSF_BXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_RSWRITB_TAC [] 

)n 

let C_a f am_r a t S_THM = TAC_PROOF 

(([]. 

"1 (t ttlme) (rep i A RBP_ty) (a ttima->cc_atate) (e ttima->cc_env) 

(p ttime->oc_out) . 

CBlock_QATE rep a e p 

X=> 

(C_afam_ratS (CC_NSF rep (a t) (e t) ) = C_a£ait_rBtS (a (t+1)))"). 

RE WR I TE_TAC (C_a £ am_ra tS j CBlock_EXP ) CC_NSF_EXP ) 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

)l> 

let C_a£om_writeS_THM = TAC_PROOF 

(((], 

"1 (t ttlme) (rep t A RBP_ty) (a itime->cc_atate) (e ttime->cc_env) 

(p ttime->cc_out) . 

CBlock_OATE rap a e p 

(C_af airt_writeS (CC_NSF rep (a t) (e t) ) = C_afam_writeS (a (t+1)))"), 
RBWRITE_TAC [C_a f am_writ eS > CBlock_BXP ) CC_NSF_EXP ) 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

) }; 

let C_a f srtt_addr e a a edS_THM = TAC_PROOF 

(([], 

"! (t ttlme) (rep t A REP_ty) (a ttime->co_atate) (e ttime->cc_env) 

(p ttime->cc_out) . 

CBlock_OATE rap a e p 
==> 

(C_af Bm_addreasedS (CC_NSF rep (a t) (e t) ) = C_a£am_addreasedS (a (t+1)))"), 
REWRITB_TAC [C_af sm_addreaaedS j CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let C_a f am u _hlda_S_THM = TAC_PROOF 

(([], 

"! (t ttlme) (rep t A RBP_ty) (a itime->cc_atata) (e ttime->oc_env) 

(p ttime->cc_out) . 

CBlock_OATE rep a e p 
«=> 

(C_af 8m_lilda_S (CC_NSF rep (a t) (at)) = C_sf am_hlda_S (a (t+1)))"), 
RBWRITB_TAC [C_8 £ am_hlda_S ; CB lock_EXP ; C C_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)»; 

let C_s£sm„ma3_THM = TAC_PROOF 

(([], 

"1 (t ttlme) (rep t A REP_ty) (a itime->cc_8tate) (a ttime->cc_env) 

(p ttime->cc_out) . 

CBlock_QATB rep a e p 

(C_afanv_ntaS (CC_NSF rep (a t) (e t ) ) = C_efam_maS (a (t+1)))"), 

RBWRITB_TAC [C_a£am__maSjGBlock_EXP » CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRXTE_TAC I) 

) ;; 

let C_af am_atateS_THM = TAC_PROOF 

((II, 

"l (t ttlme) (rep t A RBP_ty) (a ttime->cc_atate) (e ttime->cc_env) 
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(p itime->cc_out) . 

CBlock_GATE rap sap 

(C_e£ am_stataS (CC_NSF rap (s t) (at)) = C_ef am_atateS (a (t+1)))") 
REWRITE_TAC [C_af sm_etateS ) CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)>> 

lat C_ef am_cale_S_THM = TAC_PROOF 

(([], 

"! (t itlma) (rap i A REP_ty) (a itime->cc_atate) (a !time->cc_env) 

(p itima->cc_out) . 

CBlock_GATE rap a a p 
==> 

(C_ef sm_cala_S (CC_NSF rep (a t) (at)) = C_e£am_oale_S (a (t+1)))") 
RBWRITE_TAC [C_e£am_cale_S j CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [] 

);; 

lat C_a£am_laat_S_THM = TAC_PROOF 
(([]/ 

"I (t itlma) (rep : A RBP_ty) (a itime->ee_atate) (a i time->cc_anv) 

(p itime->cc_out) . 

CBlock_GATE rap a a p 
==> 

(C_efam_laat_S (CC_NSF rep (a t) (at)) ■= C_e£am k .laat_S (a (t+1)))") 
RBMRITE_TAC [C_a£am_laat_3 ; CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITK_TAC [] 

)>> 

let C_a£ am 1 _mala_S_THM = TAC_PROOF 

<([], 

"1 (t itlma) (rap i*RBP_ty) (a itime->cc_state) (a itime->cc_anv) 

(p it±ma->cc_out) . 

CBlock_GATE rap a a p 
*«> 

(C_a£am_mala_s (CC_NSF rap (a t) (at)) = C_ef sm_male_S (a (t+1)))") 
RBWRITE_TAC (C_e£am_male_S ; CBlock_EXP ; CC_NSF_EXP 3 
THEN REPEAT STRIP_TAC 
THEN A3M_REWRITE_TAC ( ] 

)/; 

let C_e£am_rala_S_THM = TAC_PROOF 

(([]» 

"1 (t itlma) (rep i *RBP_ty) (a itima->cc_atate) (a itime->cc_env) 

(p itlma->cc_out) . 

CBlock_OATB rap a a p 
»> 

(C_afam_r«le_S (CC_NSF rap (a t) (at)) = C_a£am_rala_S (a (t+1)))") 
REMRITE_TAC IC_a£am_rala_S ; CBlock_EXP ; CC_NSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRXTE_TAC t) 

))» 

let C_e £ a m_a rdy_S_THM = TAC_PROOF 

(([]» 

"I (t itlma) (rep i *REP_ty) (a itime->cc_atata) (a ttime->cc_env) 

(p itima->co_out) . 

CBlock_GATB rap a a p 

(C_a£am_ardy_S (CC_NSF rap (a t) (at)) = C_a£am_ardy_S (a (t+1)))") 
rBHRITE_TAC tC_a£am_ardy_S ; CBlock_EXP ; CC_NSF_EXF ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RKWRITE_TAC [ ] 

) J> 

lat C_a£am_ratS_THM « TAC_PROOF 
(dir 

"! (t itlma) (rep t *REP_ty) (a itime->oc_atata) (a itime->cc_env) 
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(p itime->cc_out) . 

CBlock_GATB rap a a p 

(C_efam_ratS (CC_NSF rep (a t) (e t ) ) = c_efanurats (a (t+1)))"), 
REWRITE_TAC [C_ef am_ratS ; CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [] 

)ll 

let C_lock_in_S_THM = TAC_PROOF 

(([], 

"! (t itima) (rep : A RBP_ty) (a itime->cc_atate) (e itime->cc_env) 

(p itime->cc_out) . 

CBlock_GATE rep a e p 

(C_lock_in_S (CC_NSF rap (a t) (a t ) ) = C_lock_in_S (a (t+1)))")/ 
RBWRITB_TAC (C_lock_in_S ; CBlock_EXP ; CC_NSF_EXP ) 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

) II 

let C_laat_in_S_THM « TAC_PROOF 

(([], 

"1 (t stlme) (rep j*REP_ty) (a :tima->oc_atata) (e i time->ce_anv) 

(p !time->cc_out) . 

CBlock_GATE rep a e p 

(C_laat_in_S (CC_NSF rep (a t) (e t ) ) = C_laat_in_S (a (t+1)))"), 
RBWRITB_TAC (C_laat_ln_S j CBlock_EXP; CC_NSF_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [] 

);; 

let C_bbS_THM = TAC_PROOF 

(([), 

"1 (t itima) (rep t A RBP_ty) (a itime->cc_atate) (a itime->cc_env) 

(p itime->cc_out) . 

CBlock_QATE rep a a p 
« = > 

( C a as (CC_NSF rap (a t) (at)) = C_eaS (a (t+1)))"), 

REWRITE_TAC [C_a as ; CBlock_BXP } CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC ( ] 

)l> 

let C_clkAS_THM = TAC_PROOF 

(([], 

"! (t itima) (rep t *REP_ty) (a itime->ce_atata) (e i t ime - >cc_env) 

(p itime->co_out) . 

CB lock_GATB rap a a p 
==> 

(C_elkAS (CC_NSF rap (a t) (at)) = C_clkAS (a (t+1)))"), 
RBWRITB_TAC [C_clkAS ) CBlock_EXP j CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC ( ] 

);» 

let C_laat_out_S_THM = TAC_PROOF 

(([], 

"1 (t itima) (rap s A RBP_ty) (a :tima->cc_atate) (e itime->cc_env) 

(p itime->co_out) . 

CBlock_OATE rep a a p 

*«> 

(C_l«at_out_S (CC_NSF rap (a t) (at)) = C_laat_out_S (a (t+1)))"), 
REWRITE — TAC [C_laa t_out_S ; CBlock_EXP ! CC_NSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

)ll 

let C_aidle_dalS_THM = TAC_PROOF 

( ( U, 

"! (t itima) (rep t A REF_ty) (a itime->co_atate) (a itime->co_env) 
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(p itime->cc_out) . 

CBlock_GATE rep s e p 
==> 

( C_a idle_delS (CC_NSF rep (a t) (e t)) = C_eidle_delS (s (t+1))) 
RBWRITE_TAC [C_» idle_delS ; CBlock_BXP 1 CC_NSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [) 

);» 

let C_mrqt_delS_THM = TAC_PROOF 

(<[], 

"1 (t itlme) (rep i A REP_ty) (a itime->cc_atate) (e :time->cc_env) 

(p itime->cc_out) . 

CBlock_GATB rep s e p 
==> 

(C_mrqt_delS (CC_NSF rep (s t) (e t)) = C_mrqt_delS (a (t+1)))"), 
REWRI TE_TAC [C_mrqt_delS; CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)tl 

let C_hold_S_THM = TAC_PROOF 

(([], 

"! (t itime) (rep i A REP_ty) (a itime->cc_atate) (e :time->cc_env) 

(p itime->cc_out) . 

CBlock_GATE rap a e p 
==> 

(C_hol<l_S (CC_NSF rep (a t) (e t) ) = C_hold_S (a (t+1)))"), 
REWRITE_TAC [C_hold_S ; CBlock_EXP ; CC_NSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)>; 

let C_cout_0_le_delS_THM ■ TAC_PROOF 

(([], 

"I (t itlme) (rep i A RBP_ty) (a itime->oc r .atate) (e itlme->cc_env) 

(p i t ime - > cc_out ) , 

CBlock_GATE rep a e p 
■■> 

(C_cout_0_le_delS (CC_NSF rep (a t) (e t ) ) = C_cout_0_le_delS (a 
REWRXTE_TAC [C_cout_0_le_delS > CBlock_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ) I 

let C_cin_2_leS_THM » TAC_PROOF 

(([], 

"1 (t itime) (rep i A REP_ty) (a : time - > ccat at e ) (e itime->co_env) 

(p itime->cc_out) . 

CBlock_GATE rep a e p 

XSS> 

(C_cin_2_leS (CC_NSF rep (a t) (e t)) = C_cin_2_leS (a (t+1)))") 
REWRITE_TAC (C_cin_2_leS) CBlook_EXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);» 

let c_mrdy_de 1_S_THM » TAC_PROOF 

(([], 

"! (t itime) (rep t A REP_ty) (a itime->oc_atate) (e itime->cc_env) 

(p itime->cc_out) . 

CBlock_GATE rep a e p 
==> 

(C_mrdy_del_S (CC_N3F rep (a t) (e t) ) = C_mrdy_del_S (a (t+1))) 
RBWRITB_TAC [C_mrdy_del_S ; CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

);; 

let C_iad_en_a_delS_THM = TAC_PROOF 

(( [], 

"1 (t itime) (rep t A REP_ty) (a itime->cc_atate) (e itime->ce_env) 


(t+1)))"). 
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(p t time->cc_out ) . 

CBlock_OATE rep s e p 
==> 

(C_iad_en_s_delS (CC_NSF rep (s t) (e t ) ) = C_iad_en_a_delS (a 
RBWRITE_TAC [ C_iad_en_a_ds 1 S ; CBlock_BXP ; CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [] 

)ll 

let C_wrdyS_THM = TAC_PROOF 

((tl, 

"I (t ttime) (rep t*REP_ty) (e ttime->ee_atate) (e t time->cc_env) 
(p itlme->cc_out) . 

CBlock_GATE rep s e p 
==> 

(C_wrdyS (CC_NSP rep (b t) (e t)) = C_wrdyS (b (t+1)))"), 
RRWRITB_TAC [C_wrdyS i CBlock_KXP i CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

);» 

let C_rrdyS_THM = TAC_PROOF 

(([]» 

"1 (t ttime) (rep t *REP_ty) (s itime->cc_state) (e ttime->cc_env) 
(p ttlme->co_out) . 

CBlock_GATE rep s e p 

(C_rrdyS (CC_NSF rep (s t) (e t)) = C_rrdyS (a (t+1)))*')/ 
RBWRXTE_TAC [C_rrdyS ; CBlock_EXP ) CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBNRITE_TAC U 

)n 

let C_parityS_THM = TAC_PROOF 

111 ], 

"! (t ttime) (rep t *REP_ty) (a ttime->cc_state! (e ttime->cc_env) 
(p ttime->cc_out) . 

CBlock_GATE rep s e p 

(C_parityS (CC_NSF rep (s t) (e t) ) = C_parityS (s (t+1)))"), 
REWRI TE_TAC [C_parityS ; CBlook_EXP > CC_NSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

)>; 

let C_sourceS_THM = TAC_PROOF 

((tl, 

"I (t ttime) (rep i*REP_ty) (a stime->cc_state! (e ttime->cc_env) 
(p itlme->cc_out) . 

CBlock_OATE rep a e p 
■■> 

(C_aouroes (CC_NSF rep (a t) (at)) = C_aourceS (a (t+1)))"), 
REWRI TE_TAC [C_aourceS ; CBlock_EXP ; CC_NSF_EXP ) 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)(» 

let C_data_inS_THM = TAC_PROOF 

(([], 

" ! (t ttime) (rep t A RBP_ty) (a t time->cc_atate) (e ttime->cc_env) 
(p ttime->cc_out) . 

CBlock_GATB rep s e p 
*=«> 

(C_data_inS (CC_NSF rep (a t) (e t)) = C_data_inS (a (t+1)))") 
RBWRITB_TAC [C_data_inS ; CBlock_EXP ; CC_NSF_EXP) 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC U 
)>; 

let C_aizewrbeS_THM = TAC_PROOF 

(([], 

"1 (t ttime) (rep t *REP_ty) (a ttime->cc_atate) (e ttime->cc_env) 


(t+1)))"). 
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(p ttime->cc_out) . 

CBlock_GATE rap sap 
==> 

(C_aizawrbaS (CC_NSF rap (s t) (at)) = C_sizewrbeS (a ( t +1 )))"), 
REWRITE_TAC [C_aizewrbeS ; CBlock_EXP ; CC_NSF_EXP ) 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [] 

);; 

let C_iad_outS_THM > TAC_PROOF 

(<[], 

"! (t ttlma) (rap i A REP_ty) (a itime->cc_atate) (a t time->ec_env) 

(p !tima->ec_out) . 

CBlock_OATB rap a a p 
**:> 

(C_lad_outS (CC_NSF rep (at) (at)) = C_iad_outS (s (t+1) ))''), 
REWRITE_TAC [C_iad_outS j CBlock_EXP j CC_NSF_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [] 

)») 

let C_alaOS_THM = TAC_PROOF 

<((], 

"1 (t ttlma) (rap t A REP_ty) (a itima->cc_state) (a t time->oc_env) 

(p ttime->cc_out) . 

CBlock_GATB rap a a p 

<C_alaOS (CC_NSF rap (a t) (at)) = C_alaOS (a (t+1)))"), 

REWRI TE_TAC (C_alaOS;CBlook_EXP ; CC_N3F_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC ( ] 

)ll 

let C_a3a2S_THM = TAC_PROOF 

(( [], 

"! (t ttlma) (rap t A REP_ty) (a itima->cc_atate! (a ttlme->oc_env) 

(p ttlma->cc_out) . 

CBlock_OATE rap a a p 

(C_a3a2S (CC_NSF rap (a t) (at)) = C_a3a2S (a (t+1)))"), 
REWRITE_TAC [C_a3 a2 S ; CBlock_EXP ; CC_NSF_EXP ) 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ) 

)!1 

let C_iad_inS_THM = TAC_PROOF 

(([], 

"! (t ttlma) (rap t A REP_ty) (a ttima->cc_atata) (a ttime->cc_anv) 

(p ttima->cc_out) . 

CBlock_GATH rap a a p 
==> 

(C_iad_inS (CC_NSF rap (a t) (at)) = C_iad_inS (a (t+1)))"), 
RBWRITB_TAC [C_lad_inS ; CBlock_BXP j CC_NSF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

) 1 1 

let C_wrS_THM » TAC_PROOF 

(( []. 

"1 (t ttlma) (rap t A RBP_ty) (a ttlma->cc_atate) (a ttime->cc_env) 

(p ttima->oc_out) . 

CBlock_GATE rap a a p 

(C_wrs (CC_NSF rap (a t) (at)) x c_wrs (a (t+1)))"), 

RBWRITK_TAC [C_wrS ; CBlock_EXP i CC_NSF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN A3M_REWRITB_TAC [ ] 

)ll 

let I_cgnt_0_THM = TAC_PROOF 

(([], 

" ! (t ttlma) (rap t A REP_ty) (a t time->co_atata) (a ttime->cc_env) 
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(p ttime->cc_out) . 

CBlock_GATB rep 8 e p 
•»> 

( l_cgnt_0 (CC_OF rep (s t) (e t > ) = l_cgnt_0 (p t ) ) " ) , 
RBWRITB_TAC [ I_Cflnt_0 1 CBlock_EXP ; CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let I_mrdy_out_0_THM = TAC_PROOF 

(([]. 

"1 (t ttlme) (rep : A RBP_ty) (e itima->cc_atate) (e ttime->ee_env) 
(p itime->cc_out) . 

CBlock_GATB rep s e p 
= = > 

( l_mrdy_out_0 (CC_OF rep (e t) (e t)) = l_mrdy_out_0 (p t))")/ 
REWRXTE_TAC [ l_mrdy_out_0 ; CBloek_EXP ; CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

) ;; 

let I_hold_0_THM = TAC_PROOF 

(((]. 

"1 (t ttlme) (rep t A REP_ty) (e :tiine->cc_8tate) (e itime->cc_env) 
(p ttime->cc_out) . 

CBlock_GATB rep e e p 
==> 

(l_hold_0 (CC_OF rep (e t) (e t)) = l_hold_0 (p t))"), 
REWRITE_TAC [I_hold_0;CBlock_KXP ; CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let I_rale_out_0_THM = TAC_PROOF 

(([], 

“l (t itime) (rep s A REP_ty) (s itijne->cc_state) (e :time->cc_env) 
(p jtime->cc_out) . 

CBlock_GATE rep e e p 
*»> 

( l_rale_out_0 (CC_OF rep (s t) (at)) = l_rale_out_0 (p t))"), 
RBWRITB_TAC [l_rala_out_0 ; CBlock_EXP » CC_OF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) j; 

let X_male_out_0_THM = TAC_PROOF 

(([], 

“\ (t ttlme) (rep i A REP_ty) (s !time->cc_state) (e itime->oc_env) 
(p ttime->cc_out) . 

CBlook_GATE rep e e p 

■■> 

( l_male_out_0 (CC_OF rep (s t) (e t ) ) = l_male_out_0 (p t))"), 
RBWRITB_TAC [I_male_out_OjCBlock_BXP ; CC_OF_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

);> 

let I_laet_OUt_0_THM = TAC_PROOF 
(([]/ 

"1 (t ttlme) (rep t A REP_ty) (e ttime->oc_state) (o ttime->cc_env) 
(p itime->cc_out) . 

CBlock_GATB rep s e p 

( l_last_out_0 (CC_OF rep (a t) (e t)) = l_laet_out_0 (p t))") r 
RBWRITE_TAC [I_laat_OUt_0j CBlook_EXP; CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

);; 

let I_erdy_out_0_THM = TAC_PROOF 

((II. 

"1 (t ttlme) (rep t A REP_ty) (a ttime->cc_atate) (e ttime->cc_env) 
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(p itimo->ce_out) . 

CBlock_QATE rap Sep 
==> 

( l_srdy_out_0 (CC_OP rep (s t) (e t)) = l_srdy_out _0 (p t ) ) " ) , 
RBWRITB^TAC [l_srdy_out_0> CBlock_BXP > CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

)ll 

let I_ad_outO_THM = TAC_PROOF 

(([]» 

"1 (t itlme) (rep t A REP_ty) (s itime->cc_state) (e : time->cc_env) 
(p itime->cc_out) . 

CBlock_GATE rep s e p 

( I_ad_outO ( CC_0F rep (s t) (e t)) = I_ad_outO (p t))"), 
REWRXTE_TAC [ I_ad_outO ; CBlock_EXP » CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let I_be_out_0_THM = TAC_PROOF 

(( [], 

"1 (t itlme) (rep t A RBP_ty) (s stime->cc_state) (e :time->ce_env) 
(p itime->cc_out) . 

CBlook_OATE rep s e p 

>■> 

(l_be_out_0 (CC_OF rep (at) (e t ) ) = l_be_out_0 (p t))")» 
RBWRITB_TAC [ l_be_out_0 ; CBlock_EXP j CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)>» 

let CB_rqt_OUt_0_THM ■ TAC_PROOF 

(( [], 

"! (t ttime) (rep « A REP_ty) (s :tinve->co_state) (e itlme->cc_env) 
(p ttime->cc_out) . 

CBlock_OATB rep a e p 
■■> 

(CB_rqt_out_0 (CC_OF rap (at) (e t)) = CB_rqt_out_0 (p t))"), 
REWRITE_TAC [CB_rqt_out_0 ; CBlock_EXP > CC_OF_BXP ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

) ; I 

let CB_ma_outO_THM « TAC_PROOF 

(([], 

"1 (t itlme) (rep i A REP_ty) (a itime->cc_state) (e :time->cc_env) 
(p itime->cc_out) . 

CBlock_OATB rep a e p 
■*> 

(CB_ma_outO (CC_OF rep (s t) (at)) = CB_ms_outO (p t))"), 
REWRXTE_TAC [CB_ma_outO ; CBloek_EXP ; CC_OF_EXP ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)ll 

let CB_aa_outO_THM = TAC_PROOF 

(((], 

"1 (t itlme) (rep : A REP_ty) (a itime->cc_state) (e itime->oo_env) 
(p itlme->cc_out) . 

CBlock_OATB rep a e p 
=s> 

(CB_ss_outO (CC_OF rep (a t) (at)) = CB_aa_outO (p t))"), 
REWRITE _TAC [CB_aa_outO » CBlock_EXP ; CC_OF_BXP] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITB_TAC [ ] 

) n 

let CB_ad_OUtO_THM = TAC_PROOF 

(([], 

"! (t itlme) (rep t A REP_ty) (a itima->oc_atate) (e ttime->oc_env) 
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(p itime->cc_out) . 

CBlock_QATE rap a a p 
•» 

(CB_ad_outO (CC_OF rap (s t) (at)) = CB_ad_outO (p t))")< 
REWRITB_TAC [CB_ad_outO; CBlockJBXP ; CC_OF_EXP ] 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC t DE_MORGAN_THM ] 

)ll 

let C_8 s_outO_THM = TAC_PROOF 

(([], 

"I (t itlma) (rap i A REP_ty) (a itime->cc_atate) (a ttime->cc_env) 

(p itime->cc_out) . 

CBlock_GATE rap a a p 
**> 

( C a s_outO (CC_OF rep (a t) (at)) = C_aa_outO (p t ) ) " ) , 

REWRITB_TAC [C_88_OUt0; CBlock_EXP; CC_OF_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let Diaable_writaaO_THM = TAC_PROOF 

(<[], 

"! (t itlma) (rep i A REP_ty) (a :time->cc_atate) (a itime->cc_env) 

(p itime->oo_out) . 

CBlock_OATB rap 8 a p 
■■> 

(Dlaabla_wrlteaO (CC_0F rep (a t) (at)) = Diaable_writeaO (p t ) ) " ) , 
RBWRITE_TAC tDlaable_writaaO>CBlock_EXP;CC_OF_EXP] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let CB_parityO_THM = TAC_PROOF 

(([], 

"1 (t itlma) (rap i A REP_ty) (a itime->cc_atata) (a ttime->-ce_env) 

(p itlma->oo_out) . 

CBlock_OATE rap a a p 
*==> 

(CB_parityO (CC_OF rap (a t) (at)) = CB_parityO (p t))"), 
RBWRITB_TAC [CB_parityO; CBlook_EXP ; CC_OF_EXP) 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)n 

cloae_thaory( ) ; ; 


3.5 SU-Cont Clock-Level Verification 

The theory sclock_ver and file scjhms.ml contain the SU-Cont clock-level correctness proof. 


% 

File i aclock_ver .ml 

Authori (c) D. A. Fura 1992-93 

Data t 4 March 1993 

% 

aet_flag ('timing', true);; 

aet_aearch_path (aearch_path( ) ® [ ' /home/elvla6/dfura/ftep/piu/hol/aucont/ ' ; 

' /homa/elvla6/dfura/f tep/piu/hol/llb/ ' ; 

' /homa/alvla6/d£ura/hol/ml/ ' ; 
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system 'rm sclock_ver.th' > > 


' /home /elvis 6 /dfura /hoi /Library/ tools / ' 


new_theory ' sclock_ver ' ; ; 
loadf ' aux_def s ' ; ; 

map new_parent [ 'wordn_def ' j ' array_def ' ] ; ; 

map load_parent [ ' sclook_def ' j 'sblock_de£ ' j 'piuaux_def ' » 'gates_def 1' ; 

'latehes_daf ' ; '££s_def ' ; 'eounters_de£' > 'saux_de£ ' ] ; ; 

new_type_abbrev ( 'time ' , " i num" ) ; » 

let SClockNSF_REW ■ theorem 'sclock_de£' ' SClockNSF_REW ' > ; 
let SClockOF_REW » theorem 'sclock_def' ' SClockOF_RBW ' > ; 

loadt ' sc_thms . ml ' ; > 

let S_Clock_Correct = prove_thm 
( ' S_Clook_Correct ' , 

"I (t (time) (s !time->s_state) (e itime->s_env) (p stime->s_out) . 
3Block_0ATB sap 
»=> 

SCSet_Correct s e p", 

RBPKAT STRIP_TAC 

THEN RBWRITB_TAC [SCSet_Correct] 

THEN INDUCT_THEN (prove_induction_thm SCI) ASSUME_TAC 
THEN QBN_TAC 

THEN REWHITE_TAC [SC_Correct>SC_Exec>SC_PreC>SC_PostC] 

THEN CONJ_TAC 
THBNL [ 

% Subgoal li "s(t + 1) = SC_NSF(s t) (e t)" % 

SUBST_TAC [SPEC "(s (t+1) ) i s_state" State_Seleotors_Work] 

THEN IMP_RBS_TAC ( SYM_RULE S_f sm_stateS_THM) 

THEN IMP_RES_TAC ( SYM_RULE S_f sm_rstS_THM) 

THEN IMP_RBS_TAC ( SYM_RULB S_f sm_de lay 6 S_THM ) 

THEN IMP_RBS_TAC ( SYM_RULE S_£sm_delayl7S_THM) 

THEN IMP_RBS_TAC (SYM_RULE S_f sm_bothbadS_THM) 

THEN IMP_RBS_TAC ( SYM_RULE S_£sm_bypassS_THM) 

THEN IMP „RE S TAC (SYM_RULB S_SOft_shotS_THM) 

THEN IMP_RES_TAC (SYM_RULB S_ao£t_shot_delS_THM) 

THEN IMP_RBS_TAC ( SYM_RULB S_SOf t_cntS_THM) 

THEN IMP_RBS_TAC (SYM_RDLB S_delayS_THM) 

THEN IMP_RBS_TAC ( SYM_RULE S_instartS_THM) 

THEN IMP_RES_TAC ( SYM_RDXJS S_bad_cpuOS_THM) 

THEN IMP_RBS_TAC (SYM_ROLE S_bad_cpulS_THM) 

THEN IMP_RES_TAC (SYM_RDLE S_reset_cpuOS_THM) 

THEN IMP_RBS_TAC (SyM_RDLE S_reset_cpulS_THM) 

THEN IMP__RES_TAC (SYM_RULE S_cpu_b i s t S_THM ) 

THEN IMP_RES_TAC (SVM_ROLE S_pmm_f ailS_THM) 

THEN IMP_RBS_TAC ( SYM_RULB S_cpuO_£ailS_THM) 

THEN IMP_RES_TAC (SYM_ROLE S_cpul_£ailS_THM) 

THEN IMP_RBS_TAC (SYM_ROLE S_piu_f ailS_THM) 

THEN ASM_RBWRITB_TAC 

[SPEC "SC_NSF ( (s ; time- >s_st ate ) t) ( (e!time->s_env) t)" 
(SnLRULE State_Selectors_Work) ] 
i 

% Subgoal 2s "p t = SC_OF(s t) (e t)" % 

SUBST_TAC [SPEC " ( (p:time->s_out) t)" Out_Seleotors_Work] 

THEN IMP_RBS_TAC (SYM_RULE S_StateO_THM) 

THEN IMP_RES_TAC (SYM_RDLE Reset_cportO_THM) 

THEN IMP_RE S_TAC (SYM_RULE Disable_intO_THM) 

THEN IMP_RES_TAC (SYM_RULB Reset_piuO_THM) 

THEN IMP_RBS_TAC (SYM_RULE Reset_opuOO_THM) 

THEN IMP_RES_TAC ( SYM_RULE Reset_cpulO_THM) 

THEN IMP_RES_TAC ( S YM_RDLE Cpu_bistO_THM) 

THEN IMP_RBS_TAC (SYM_RULB Piu_£ailO_THM) 

THEN IMP_RBS_TAC ( SYM_RULE CpuO_£ailO_THM) 

THEN IMP_RBS_TAC ( SYM_ROLB Cpul_£ailO_THM) 
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THEN IMP_RES_TAC (SYM_RULB Pmm_£ailO_THM) 

THEN A3M_RBWRITE_TAC 

[SPEC "SC_OF ( (sttime->B_state) t) ( (e t time->s_env) t)" 
( S YM_RULE Out_Selectors_Work) ] 

1 

)/; 

cloBe_thaory ( ) ; ; 


Filet BO_thms,ml 

Author! (o) D.A. Fura 1992-93 

Dates 4 March 1993 


■% 


let S_fflm_BtateS_THM = TAC_PROOF 

(<[], 

"1 (t ttimo) (b ttime->o_state) (e ttime->B_eiiv) (p ttime->s_cmt) . 
SBlock_QATE Bap 
«> 

(S_£enL_etates (SC_NSF (e t) (at)) ■ S_fa»_etateS (b (t+1)))"), 
RBWRITE_TAC [S_£ bw_b t at eS ; SBlock_EXP ; ( EXPAND_LBT_RULB SClockNSF_RBV!) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

);> 

lot S_fsm_retS_THM = TAC_PROOF 

((U. 

"I (t ttimo) (b ttima->a_atato) (a ttimo->8_env) (p ttime->-s_out) . 
SBlOck_0ATB Bap 

■ ao> 

(S_fam_r8tS (SC_NSF (a t) (at)) « S_£8nurstS (B lt+1)))"), 
RKWRITE_TAC [S_£am_r8tS; SBlock_EXP j (EXPAMD_UST_R0LE SClockNSF_RBW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC U 
) ;; 

lot S_£am_dolay6S_THM = TAC_PROOF 

(<[], 

" 1 (t ttimo) (a itime->B_etate) (a ttime->B_env) (p itime->8_out) . 
SBlock_GATB a a p 
■«> 

(S_£am_delay6S (SC_NSF (b t) (at)) = S_£snv_dolay6S (s (t+1)))"), 
REWRITB_TAC [S_f 8m_delay6S ) SBlock_EXP ; ( EXPAND_LET_RULE SClockNSF_REW) ) 
THEN REPEAT STRXP_TAC 
THEN ASM_RBWRITE_TAC [] 

)n 

lot S_f 8m_do lay 17 S_THM = TAC_PROOF 

(([], 

"! (t ttimo) (a !time->a_8tate) (a itime->B_anv) (p itime->8_out) . 
SBlock_QATB sap 
*■> 

(S_£Bm_dolayl7S (SC_NSF (s t) (at)) = S_f sm_delayl7S (s (t+1) ))''), 
RBWRITE_TAC [S_f 8m_delayl7 3 ; SBlock_EXP ; ( EXPAND_LET_ROLE SClockNSF_REW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [] 

) II 

lot S_f 8m_bothbadS_THM = TAC_PROOF 

(([], 

"l (t ttimo) (s ttima->e_atata) (a ttima->8_onv) (p ttime->B_out) . 
SBlock_QATB sap 

( S_£ om_bothb ads (SC_NSF (at) (o t) ) = S_£am_bothbadS (s (t+1)))"), 
RBWRITE_TAC [S_f sm_bothbadS;SBloek_BXP; (EXPAND_LBT_RULB SClockNSF_REW) ) 
THEN REPEAT STRXP_TAC 
THEN ASM_REHRITE_TAC U 
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)ll 


let S_f am_bypasaS_THM = TAC_PROOF 

(( [], 

"! (t i time) (s itime->s_state) (e t time->s_env) (p :time->s_out) . 
SBlock_QATB 8 e p 
«■> 

(S_fBKL_bypassS (SC_NSF (8 t) (e t ) ) = S_f sm_bypassS (s ( t+1 )))"), 
REWRITE_TAC [S_f Bm_bypassS; SBlook_EXP t ( EXPAND_LET_RULE SClockNSFJREW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC [ ] 

);; 

let S_ao£t_shotS_THM « TAC_PROOF 

((U, 

"! (t ttime) (s ttime->B_state) (e ttime->s_env) (p itime->8_out) . 
SBlock_OATE s e p 
ss> 

(S_soft_shotS (SC_NSF (s t) (e t) ) = S_soft_shotS (s (t+1)))"), 
RBWRITE_TAC [S_8o£t_shotS> SBloek_EXP; (BXPAND_LBT_RULE SClockNSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

) J J 

let S_BOft_8hot_delS_THM = TAC_PROOF 

(([], 

"! (t itlme) (s itime->8_state) (a itime->s_env) (p itime->s_out) . 
SBlock_OATE 8 e p 
ss> 

(S_soft_shot_delS (SC_NSF (s t) (e t) ) = S_soft_shot_delS (s (t+1 )))"), 
REWRITE_TAC [S_so£ t_shot_delS» SBlock_EXP» (EXPAND_LET_RULB SClockNSF_REW) ] 
THEN REPEAT STRXP.TAC 
THEN ASM_RBNRITB_TAC [ ] 

);; 

let S_soft_cntS_THM = TAC_PROOF 

(( [], 

"1 (t itlme) (s t time - >8 state ) (e :time->s_env) (p itime->s_out) . 

SBlook_OATE s e p 
mm> 

(S_eo£t_cntS (SC_NSF (s t) (e t) ) = S_soft_cntS (8 (t+1)))"), 
REWRXTB_TAC [S_8oft_cntS; SBlock_EXP> (EXPAND_LET_RULE SClockNSF_REW) ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITB_TAC [ ] 

)ll 

let S_de 1 ay S_THM > TAC_PROOF 

(([], 

"1 (t itlme) (s itime->8_8tate) (e itime->-s_env) (p itime->s_out) . 
SBlock_OATE sap 
■■> 

( S_delayS (SC_NSF (s t) (e t) ) • S_delayS (s (t+1)))"), 

REWRITE_TAC [S_delaySj SBlock_EXP; (EXPAND_LET_ROLE SClockNSF_REW) ] 

THEN REPEAT STRXP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);; 

let S_lnstartS_THM •= TAC_PROOF 

(([], 

"1 (t itlme) (s !time->B_state) (e itime->8_env) (p itlme->8_out) . 
SBlock_QATE 8 e p 

(S_lnstartS (SC_NSF (s t) (e t)) = S_lnstartS (s (t+1)))"), 

RBWRITB_TAC [ S_lns tart S ; SBlock_EXP ; ( EXPAND_LET_RULE SClookNSF_REW) ] 

THEN REPEAT STRXP.TAC 
THEN ASM_REWRITB_TAC[] 

) II 

let S_bad_cpuOS_THM « TAC_PROOF 

(([], 

" ! (t itlme) (s itlme->8_state) (e i time->s_env) (p itime->8_out) . 
SBlock_OATB s e p 
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( S_ba.d_cpu.OS (SC_NSF (s t) (e t)) = S_bad_cpuOS (s (t+1)))"), 

RBWRITB_TAC [S_bad_cpuOS; SBlock_BXP) (EXPAND_LBT_RULB SClockNSFJREW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) I) 

let S_bad_cpulS_THM = TAC_PROOF 

(<[], 

"1 (t itlme) (s itime->s_atate) (® itime->a_onv) (p itime->s_out) . 
SBlock__GATE sap 

==> 

( S_bad_cpulS (SC_NSF (a t) (e t ) ) = S_bad_cpulS (s (t+1) ) ) ") , 

REWRITE_TAC [S_bad_cpulS ; SBlock_EXP ) ( BXPAND_LBT_ROLE SClockNSFJREW) J 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ) 

);; 

let S_r e a e t_cpuO S_THM = TAC_PROOF 

( ( [1 , 

"1 (t itlme) (a itime->a_atate) (e itime->a_env) (p stime->a_out) . 
SBlock_GATB a e p 

( S_reaet_cpuOS (SC_NSF (a t) (e t) ) = S_reaet_cpuOS (a (t+1)))"), 
REWRITB_TAC [S_reaet_cpuOS>SBloek_EXP» (EXPAND_LET_RULE SClockNSF_RBW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_BEWRITB_TAC [ ] 

) II 

let S_reaet_cpulS_THM = TAC_PROOF 

(([], 

"1 (t itlme) (a itime->a_atate) (e itime->a_env) (p itlme->a_out) . 
SBlock_GATB a e p 

(S_reaet_opulS (SC_NSF (a t) (e t)) « S_reaet_cpulS (a (t+1)))"), 
REWRITB_TAC [S_reset_cpulS;SBlook_BXP» (BXPAND_LET_RDLE SClookNSF_REW) ] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC t) 

)>> 

let S_cpu_biatS_THM = TAC_PROOF 

(( [], 

"1 (t itlme) (a itlme->a_atate) (e i time->a_env) (p itime->a_out) . 
SBlock_OATB a e p 
==> 

(S_opu_biatS (SC_NSF (a t) (e t)) = S_cpu_blatS (a (t+1)))"), 

REWRITE_TAC [S_epu_biatS ; SBloek > DFFB_GATE ; DLatB_GATE > AND3_GATE ; ASel ; BSel ; a iff ; 

( BXPAND_LBT_RULB SClockNSF_REW) ] 

THEN REPEAT GBN_TAC 
THEN BBTA_TAC 
THEN REPEAT STRIP_TAC 
THEN ASM_RENRITE_TAC[] 

);> 

let S_pmm_failS_THM » TAC_PR00F 

(([), 

"! (t itlme) (a itime->a_atate) (e i time->s_env) (p itime->a_out) . 
SBlock_GATB a e p 

SS> 

(S_pmm_£ailS (SC_NSF (a t) (e t)) - S_pmm_failS (a (t+1)))"), 

RBWRITE_TAC [S_pmm_f ailS) SBlock_EXPi (BXPAND_LBT_ROLB SClockNSF_REW) ] 

THEN REPEAT 3TRIP_TAC 
THEN ASM_HBWRITE_TAC t] 

))» 

let S_opuO_f ailS_THM = TAC_PROOF 

(([], 

"1 (t itlme) (a itlme->a_atate) (e ttime->a_eiiv) (p itime->a_out) . 
SBlock_GATE a e p 

(S_cpuO_failS (SC_NSF (a t) (e t) ) = S_opuO_£ailS (a (t+1)))"), 

REMRITB_TAC [S_cpuO_f ails ; SBloek JBXPl (BXPAND_LET_RDLB SCloekNSF_REW) ] 
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THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);» 

let S_cpul_£ailS_THM = TAC_PROOF 

(([], 

"1 (t i time) (s itime->s_state) (e ttime->s_env) (p itime->s_out) . 
SBlock_GATB s e p 

B» 

(S_epul_failS (SC_NSF (s t) (e t)) = S_cpul_failS (s (t+1) ) ) " ) , 
REWRITE_TAC [S_cpul_f ailS; SBlock_EXP j (EXPAND_LBT_RULB SClockNSFjREW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)ll 

let S_piu_£ailS_THM = TAC_PROOF 

(<[], 

"1 (t (time) (s itime->s_state) (e : t ime - > s env ) (p itime->s_out) . 
SBlock_OATB 8 e p 

(S_piu_£ailS (SC_NSF (s t) (e t) ) = S_piu_failS (s (t+1)))"), 
RBWRITE_TAC [S_piu_f ailS ) SBloek_BXP > ( EXPAND_LET_RULE SClookNSF_REW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

);> 

let S_s tat eO_THM = TAC_PROOF 

(([), 

"1 (t itime) (s :time->8_8tate) (e stime->s_env) (p ttime->s_out) . 
SBlock_QATB 8 e p 

(S_8tate0 (SC_OF (8 t) (e t) ) = S_stateO (p t))"), 

REWRITE_TAC [S_stateO; SBlock_EXP> (EXPAND_LET_RHLE SClookOF_REW) ] 

THEN REPEAT STRIP.TAC 
THEN ASM_REWRITE_TAC [ ] 

)ll 

let Re8et_eportO_THM « TAC_PROOF 

(([], 

"I (t ttime) (s :time->s_8tate) (e :time->a_env) (p :time->s_out) . 
SBlock_GATB 8 e p 

(Reset_cportO (SC_OF (a t) (e t) ) = Reset_cportO (p t))"), 
RBWRITE_TAC [Reset_oportO;SBloek_EXP» (EXPAND_LET_RULE SClockOF_REW) ] 
THEN REPEAT STRXP_TAC 
THEN ASM_RBHRITE_TAC[] 

)ll 

let Di8able_intO_THM « TAC_PROOF 

(([], 

"1 (t itime) (s !time->s_state) (e ttime->s_env) (p itime->s_out) . 
SBlock_GATB sap 
=■> 

(Diaable_intO (SC_OF (s t) (e t) ) = Disable_intO (p t ) ) " ) , 
REMRITE_TAC [Disable_intO; SBlock_BXP ; (BXPAND_LET_RULE SClockOF_REW) ] 
THEN REPEAT STRIP.TAC 
THEN ASM_RBWRITE_TAC [ ] 

)>) 

let Reaet_piuO_THM » TAC_PROOF 

(( [], 

"1 (t itime) (8 itime->8_state) (e ttime->a_eav) (p itime->s_out) . 
SBlock_OATE 8 e p 

(Reaet_piuO (SC_OF (8 t) (e t)) = Reset_piuO (p t))"), 

REWRI TE_TAC [Reset_piuO;SBlock_BXP; (EXPAND_LET_RULE SClockOF_RBW) ] 
THEN REPEAT STRZP.TAC 
THEN ASM_REWRITE_TAC [ ] 

)>> 

let Reset_cpuOO_THM « TAC_PROOF 

(([]. 
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"! (t ttime) <e itime->s_state) (e : time->s_env) (p ttime->s_out) . 
SBlock_OATB sap 

(Raset_cpuOO (SC_OF (s t) (e t) ) = Reset_cpuOO (p t))")> 
REWRXTB_TAC [Reset_cpuOO> SBloek_BXP ; (EXPAND_IiBT_RULE SClockOF_REW) 1 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC[] 

) ;; 

lot Rosat_cpulO_THM « TAC_PROOF 

(([], 

"! (t ttime) (s itima->s_state) (a ttime->s_env) (p !time->s_out) . 
SBlock_OATE sap 

(Reset_cpulO (SC_OF (s t) (at)) = RaBat_cpulO (p t))")< 
RBWRITE_TAC [Ra«et_OpulOj SBlock_BXP; ( BXPAND_LBT_RULB SClookOF^RBM) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

)n 

lot Cpu_bistO_THM = TAC_PROOF 

( ( 11 , 

"1 (t ttime) (s itime->s_atate) (a ttime->s_anv) (p :timo->8_out) . 
SBlock_GATE sap 
= «> 

(Cpu_bi8t0 (SC_OF (s t) (at)) = Cpu_bistO (p t))")< 

RBWRITE_TAC tCpu_bls tO; SBlock_EXP ) ( EXPANC_LET_ROLE SClockOF_REW) ) 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC[] 

)n 

let Piu_failO_THM a TAC_PROOF 

(([]. 

"1 (t ttime) (s ttime->a_state) (a ttime->B_env) (p t time->s_out) . 
SBlock_GATB sap 

SS> 

(Plu_£ailO ( SC_OF (s t) (at)) ■ Piu_£ailO (p t))"). 

REWRITETAC [Plu_£allO;SBlock_EXP; ( EXPAND_LET_RULE SClockOF_REW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC[] 

);; 

let CpuO_£ailO_THM = TAC_PROOF 

(([], 

"1 (t ttime) (s ttime->s_stata) (a ttime->s_env) (p ttima->s_out) . 
SBlock_GATB s a p 
==> 

(CpuO_£ailO (SC_OF (8 t) (at)) = CpuO_£ailo (p t))"), 
RBWRITB_TAC [CpuO_£ailO;SBlock_BXP> (BXPAND_LET_RULE SClockOF_RBW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_»BWRITE_TAC [] 

) II 

lot Cpul_failO_THM » TAC_PROOF 

(((), 

"! (t ttlma) (s !time->8_state) (a ttima->s_env) (p ttime->s_out) . 
SBlock_GATE sap 
ss> 

(Cpul_£ailO (SC_OF (s t) (at)) = Cpul_failO (p t))"). 
RBWRITB_TAC [Cpul_f ailO;SBlock_EXPf ( BXPAND_LET_RULE SClockOF_RBW) ] 
THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ;; 

lot Pmm_£ailO_THM = TAC_PROOF 

<([], 

"1 (t ttime) (s ttime->s_state) (a ttime->8_anv) (p ttime->s_out) . 
SBlock_GATE sap 

(PmnufailO (SC_OF (s t) (at)) = Pmm_failO (p t))"), 

REWRITB_TAC [Pmm_f ailO; SBlock_EXP; ( EXPAND_LET_RCLE SClockOF_REW) ] 
THBN REPEAT STRIP_TAC 
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THEN ASM_RBWRITE_TAC [ ] 



4 Requirements Verification 

This file contains the HOL listings for the major portion of the P-Port transaction-level verification. The 
theory ptrans_ver contains the top-level correctness statement for the P-Port. The files ptjhmsl.ml and 
pt_thms2.ini contain the bulk of the theorems used in the correctess proof. 


Pilot ptrans_ver . ml 

Authort (c) D.A. Fura 1992-93 

Date: 7 March 1993 


■% 


set_search_path ( a earch path t ) 0 [ ' /home/elvis6/dfura/ftep/piu/hol/pport / ' i 

' /home/elvis6/dfura/f tep/piu/hol/lib/ ' ; 

' /home/elvis6/dfura/hol/liibrary/tools/ ' ; 

' /homa/elvis6/d£ura/hol/ml/ ' 

]);; 


set _f lag ( 'timing ' , true) j i 
system 'rm ptrans_ver . th ' ; t 
new_theory 'ptrans_ver ' > ) 
load_library ' reduce ' ; > 
loadf ' aux_def s ' ; ; 

map load_parent [ 'piuaux_def ' ; 'ptauxp_de£ ' > 'paux_def ' > ' array_def ' ; 'wordn_def ' ; 

'busn_def ' ; ' templogic_def ' ; 'ptransp_def ' ; 'pclock_def ' > 
'ptabs_de£ ' > ' ineg' t 'assoc ' ; 'cond' ] ; ; 

new_type_abbrev ( ' time ' , " t num" ) ; ; 
new_type_abbrev ( ' t imeT ' , " t num'' ) ; j 
new_type_abbr ev ( ' t imeC ' , " ! num" ) » ; 

let PT_WriteOF_EXP = EXPAND_LHT_RULE (definition 'ptrans_def' ' PT_WriteOF ' ) j ; 
let PTAbs_EXP = 

EXPAND_LET_RULE (definition 'ptabs_def' 'PTAbs');; 
let PB_Slave_EXP = EXPAND_LET_RULE (definition 'ptabs_def' 'PB_Slave ' ) ; ; 
let IB_PMaster_BXP = EXPAND_LET_ROLB (definition 'ptabs_def' ' IB_PMaster ' ) t ) 
let PStateAbs_BXP = EXPAND_LET_RULE (definition 'ptabs.def' 'PStateAbs ' ) > > 

set_f lag ( 'print_all_subgoals ' , false) ; ; 

loadf 'pt_tacs .ml' » > 
loadf 'pt_def s .ml ' ; j 
loadt ' pt_thms 1 . ml ' ; ; 
loadt ' pt_thms2 . ml ' j j 


(PT_Write, IB_Addr_outO) Theorem: 


let ADDR_WRITB « TAC_PROOP 

(([], 

"i (s :timeT->pt_state) (e :timeT->pt_env) (p itimeT->pt_out) 

(s' t timeC->pc_state) (e' : timeC->pc_env) (p' ttimeC->pc_out) . 
PCSet_Correct s' e' p' ==> 

PTAbsSet s e p s' e' p' ==>■ 

PT_Exec PT_Write sept *=> 

PT_PreC PT_Write sept ==> 

( IB_Addr_outO (PT_WriteOF (s t) (e t) ) = IB_Addr_outO (p t))"), 
REPBAT STRIP_TAC 

THEN IMP_RBS_TAC ABS_SET_IMP_ABS 
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THEN NROLE_ASSUM_TAC 

("lpti t. PTAbs pti s a p t s' a' p'", 

( (SPBCL ["PT_Write") "titimeT"] ) o ( RBWHITE_RULE [PTAba]))) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSOME_TAC thm) ) 

THEN RES_TAC 
THEN RES_TAC 

THEN POP_ASSOM (\thm. ALL_TAC) %KEEP% 

THEN POP_ASSOM (\thm. ALL_TAC ) %KBEP% 

THEN IMP_RE S_TAC NTH_IBOS_TRANS_SXISTS 
THEN XMP_RBS_TAC NTH_TIME_TROE_X_IMP_X 
THEN POF_ASSUM (\thm. ALL_TAC ) %XEBP% 

THEN RBS_TAC 

THEN POP_ASSOM (\thm. ALL_TAC ) %XEBP% 

THEN POP_ASSDM ( \thnw ALL_TAC) %XEEP% 

THEN IMP_RES_TAC PB_Addr_in_ISO 
THEN IMP_RES_TAC IB_Addr_out_ISO 
THEN IMP_RBS_TAC I_ad_out_ISO 

THEN IMP_RES_TAC ( RBWR I TE_RO LB [Naw_State_Ia_PA] IBUS_ALE_IMP_PA) 

THEN ASM_RBWRITE_TAC [prove_con8tructora_diatinct p£am_ty_Axiom; 

PT_WritaOF_EXP) IB_Addr_outO; wordnVAL_BUSN_IDENT; 
BXTRACT_ADDR] 

THEN POP_ASSUM (\thm. ALL_TAC ) 

THEN POP_ASSUM (\thm. ALL_TAC ) 

THEN ASM_CASBS_TAC "P_rqtS ( a ' ( t i ' i t imeC ) ) " 

THEN ASMREWR I TB_TAC [ ] 

TBBNL [ 

% Subgoal 1: [ "P_rqtS(a' ti')" ] % 

IMP_RES_TAC 

(REWRITE_ROLE [ DB_MOROAN_THM ] P_RQT_TROE_ON_TX ' _IMP_DBLAY_CONDS ) 

THEN IMP_RBS_TAC (REWRITE_RDLE [DR_MOROAN_THM] ALE_SIO_XB_TROB_AFTER_TP ' ) 
THEN IMP_RES_TAC NBXT_IBUS_TRANS_IS_NTH 
THEN IMP_RBS_TAC TX ' _AFTER_TP ' 

THEN 

( SUBGOAL_THBN " ( ti ' I timaC) = ti"" ASSOMB_TAC 
THBNL [ 

XMP_RES_TAC TRUE_EVENT_TIMBS_BQUAL 

; 

IMP_RES_TAC ( RBWRITE_RULB [PRE_SUB11 LT_IMP_LE_PRE ) 

THEN IMP_RBS_TAC STABLE_FALSB_THEN 

THEN ASSDMB_TAC (SPBCL ["ti " 1 timaC"; "1"] SUB_LBSS_EQ) 

THEN IMP_RES._TAC NEW_P_ J ADDR_STABLB_FROM_TP ' _TO_TI ' 

THEN IMP„RBS_TAC M_LESS_0 _LBSS 

THEN IMP_RES_TAC ( REWRITE_RULE [AUDI] LT_IMP_SUC_LE) 

THEN POP_ASS(JM_LIST (MAP_BVERY (\thm. ASSUME_TAC (RBDUCE_RULB thm))) 
THEN IMP_RBS_TAC (SPBCL ["ti " I timaC" ; "1"] SUB_ADD) 

THEN ASM_REWRITB_ASSOM_TAC 

("P_addrS(a ' ( (ti' ' - 1) +1)) = 

SOBARRAY ( FST ( L_ad_inE ( a ' (tp' ttimeC) ) ) ) (25,0)", [] ) 

THEN ASSUMB_TAC (SPBC "25" LBSS_BQ_RBFL) 

THEN XMP_RES_TAC ( ISPEC "FST ( L_ad_inE ( a ' ( tp ' : t imaC ) ) ) " 

SDB_SUBARRAY ) 

THEN ASM_RBWRITB_TAC [ ] 

1 ) 

J 

% Subgoal 2; [ "~P_rqtS(a' ti')" 1 % 

IMP_RBS_TAC P_RQT_FALSE_ON_TI '_IMP_FLOWTHRU_CONDS 
THEN IMP_RBS_TAC TRANS_TIMBS_BQOAL 
THEN ASSOME_TAC (SPEC "25" LBSS_BQ_RBFL) 

THEN IMP_RES_TAC (ISPEC "FST ( L_ad_inB ( a ' (ti' i timaC) )) " SUB_SUB ARRAY) 

THEN ASM_REWRITE_TAC [ ] 

] 

);> 

% 


Main Thaorami 


g "1 (a itimaT->pt_atata) (a i timeT->pt_env) (p itimeT->pt_out) 

(a' i timeC->pc_atate) (a' i timeC->po_anv) (p' : timeC->pc_out) . 
PCSet_Corract a' a' p' ==> 

PTAbaSat a a p a' a ' p ' *=> 

PTSat_Corract a a p 
REPEAT STRIP_TAC 
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THEN REWRITB_TAC [PTSet_Correct ! PT_Correot ; PT_PostC] 

THEN INDUCT_THEN (prove_induction_thm PTI) ASSUME_TAC 

THEN REWRITB_TAC [SYM_RULK (prove_constructors_distinct PTI) ] 

THEN REPEAT STRIP _TAC 

4 subgoals t 

"(s(t + 1) = PT_WriteNSF_A(s t) (a t)) \/ 

(s(t + 1) = PT_WriteNSF_H(s t) (a t))" 

[ "PCSat_Correct s' a' p'" ] 

[ "PTAbsSet s ep s' a' p' " ] 
t "PT_Exac PT_Wrlte sept"] 

[ "PT_PraC PT_Wrlta sept"] 

"p t = PT_WriteOF(s t) (a t)" 

[ "PCSet_Corract s' a ’ p ‘ " ] 

[ "PTAbsSet saps' a ' p ' " ] 

[ "PT_Exac PT_Write s apt" ] 

[ "PT_PreC PT_Mrlta s a p t" ] 

"(s(t + 1) m PT_ReadNSF_A ( s t) (a t)) \/ 

<s(t + 1) = PT_ReadNSF_H(s t) (a t))" 

[ "PCSet_Correct s' a' p'" ] 

[ "PTAbsSet saps' a ' p ' " ] 

[ "PT_Exec PT_Read s apt" ] 

[ "PT_PreC PT_Read s apt" ] 

"p t = PT_ReadOF(s t) (a t)" 

[ "PCSet_Correct s' a' p'" ] 

[ "PTAbsSet s a p s' a' p'" ] 

[ "PT_Bxec PT_Read s apt" ] 

[ "PT_PreC PT_Read s apt" ] 


Fllei pt_tbmsl.ini 

Autbort (c) D.A. Fura 1992-93 

Date: 7 March 1993 

Theorems used In the P-Port trans-level proof. 
% 


% [PJW] % 

let FIRST_BXISTS » TAC_PROOF 

(([]. 

"I (x itlma->bool) (tO t9 itlma) . 

(7 t. x t /\ tO <= t /\ t <= t9 ) *■> 

(7 u. to <= U A U <= t9 /\ STABLE_FALSE_THEN_TRUE X (tO,u))"), 
REPEAT STRIP_TAC 
THEN IMP_RES_TAC (BETA_RULE ( 

SPEC "\t. x t /\ tO <» t /\ t <= t9" WOP)) 

THBN EXISTS_TAC "n' !num" 

THEN ASM_REWRITE_TAC [STABLE_FALSE_THEN_TRDE ] 

THBN REPEAT STRIP_TAC 

THEN RES_TAC 

THEN IMP_RBS_TAC ( 

IMP_TRANS 

( SPBCIj [ "t ' i man" i "n ' ! num" j "t9 1 num" ] LESS_LBSS_EQ_TRANS ) 

( SPECL [ "t ' i num" l "t 9 1 num" ] LESS_IMP_LBSS_ORJBQ ) ) 

THBN RBS_TAC 

)l! 

let FIRST_BXISTS1 ~ mk_thm 

( [], 

"1 (x itimo->bool) (t tO t9 itlma) . 

X t /\ tO <■ t /\ t <■ t9 *«> 

(7 u. tO <= U /\ u <= t9 /\ STAB LE_FALSB_THEN_. TRUE X (tO,u))" 

) ;; 


81 



lot DISJOINT_OR > TAC_PROOF 

((Cl, 

"I (a b tbool) . a \/ b = a \/ -a /\ b") , 

REPEAT OBN_TAC 

THEN BOOL_CASES_TAC "a tbool" 

THEN BOOL_CASES_TAC "bibool" 

THEN ASM_RBWRITR_TAC[] 

);; 

lot RM_NORESBT a TAC_PROOF 

(([], 

"1 (ptl tPTI) (s itimaT->pt_atata) (a itimoT->pt_env) (p i timeT->pt_out) 
(t itimoT) . 

PT_Exoc ptl a o p t ■==> ( Ra t_Opcodo_inB (o t) ■ RM_NoRosot) ") , 
RBWRITB_TAC [PT_Exoc] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC [ ] 

);; 

lot PBM_REQUBST » TAC_PROOF 

((Cl, 

"I (ptl iPTI) (s itiroeT->pt_state) (o itlmeT->pt_env) (p i timeT->pt_out) 
(t itimoT) . 

PT_Bxoc ptl a o p t ==> 

( ( PB_Opcodo_inE (o t) = PBM_WrltaLM) \/ 

( PB_Opcodo_inE (o t) = PBM_WritoPIU) \/ 

( PB_Opcodo_inE (o t) = PBM_WritoCB) \/ 

(PB_Opoodo_inE (o t) b PBM_RoadLM) \/ 

( PB_Opcodo_inE (o t) = PBM_RoadPIU) \/ 

( PB_Opoodo_inE (o t) = PBM_RoadCB ) ) " ) , 

RBWRITE_TAC [PT_EXOO] 

THEN REPEAT OEN.TAC 

THEN ASM_CASES_TAC "ptl = PT_Writo" 

THEN ASM_RBWRITB_TAC [ ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

)ll 

lot IBS_READY = TAC_PROOF 

(([]. 

" 1 (ptl tPTI) (a itimoT->pt_atato) (o itimoT->pt_onv) (p :tlmoT->pt_out) 
(t itimoT) . 

PT_Bxoc ptl a a p t »> ( IB_Opeodo_inE (s t) = IBS_Ready) ") , 

REWRITB_TAC CPT_Exoc] 

THEN REPEAT STRXP.TAC 
THEN ASM_RBWRITE_TAC [ ] 

);; 

lot IBAS_RBADY = TAC_PROOF 

(([], 

"1 (ptl tPTI) (a itimoT->pt_atata) (a itimaT->pt_anv) (p i timoT->pt_out) 
(t itimoT) . 

PT_Bxoc ptl a a p t ■■> ( IBA_Opcodo_inE (a t) = IBAS_Roady) ") , 
REWRITB_TAC CPT_Bxoc] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC[] 

)ll 

lot ABS_SET_IMP_ABS = TAC_PROOF 

(([], 

"PTAbaSat a • p a' o' p' =»> 

(! (t itimoT) (ptl tPTI) . PTAba pti a e p t a' o' p')"), 

REWRITE_TAC [PTAbaSat] 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITE_TAC C 3 
)») 

lot RST_FALSB = TAC_PROOF 

{([], 

"1 (a itimaT->pt_atato) (o itimoT->pt_onv) (p itimoT- >pt_out) (t itimoT) 
(o' itimoC->pc_onv) (pti tPTI) . 
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PT_Bxec pti o e p t ==> 

Rat_Slave pti eta' 

(lu'ttimeC. (SND(RstE (a' u')) = F))"), 

REWRITB_TAC [PT_Exec ; Rat_Slave > BSel ] 

THEN REPEAT GBN_TAC 

THEN STRIP_TAC 

THEN ASM_RBWRITE_TAC [] 

THEN ASM_CASES_TAC "lu’ itimeC. -SNE (RatE (e ' u'))" 

THEN ASM_REWRITE_TAC[prova_con8tructors_distinct rroop] 

>/; 

let ALB_SIO_PB_INIT_FALSB = TAC_PROOF 

(( 13 , 

"I (tp' itimeC) (e' ttimeC->pc_env) . 

NTH_TXME_TROE 0 (ale_sig_pb o') 0 tp' ==> 

(It' itimeC. 

t' < tp' ==> - ( -SND ( L_ada_B (e' t ' > ) /\ SND ( L_den_E (o' t'))))"), 
RBWRITB_TAC [NTH_TIME_TRUE I STABLE_FALSE_THBN_TRUB > BSel j ale_eiff_pb] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THEN ASSUMB_TAC (SPEC "t ' itimeC" ZERO_LBSS_BQ ) 

THEN RES_TAC 

) JI 

let NTH_ALB_SIQ_PB_TRUB = TAC_PROOF 

(([], 

"I (n mum) (tp' itimeC) (e' ttimeC->pc_env) . 

NTH_TIME_TRTJB n (ale_eiff_pb a') 0 tp' -=>• 

( ~SND ( Ii_ads_E (e' tp')) /\ SND(I._den_B (e' tp')))"), 

INDOCT_TAC 

THEN REWRI TE_TAC [NTH_TXME_TROE>STABLE_FALSE_THEN_TRDE; ale_eig_pb;BSel] 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THEN ASM_RBWRITE_TAC [ ) 

THEN RES_TAC 
)l> 

let ALE_SIG_IB_TROE » TAC_PROOF 

(( 13 , 

"I (a mum) (ti' itimeC) (p' itimeC->pc_out) . 

ala_»ig_ib p< ti' =«> 

(SND(I_hlda_0 (p' ti')) /\ ( (SND(I_male_0 (p' ti')) » LO) \/ 

(SND(X_rale_0 (p' ti')) = LO) \/ 

( SND ( l_cale_0 (p' ti')) = F)))"), 

XND0CT_TAC 

THEN RBHRXTB_TAC [ale_aig_ib;BSel] 

THEN BETA_TAC 

THEN REPEAT STRIP.TAC 

THEN ASM_REWRITB_TAC [] 

THEN RBS_TAC 
)l> 

let NTH_ALE_SIO_IB_TRUE » TAC_PROOF 

(([], 

"1 (n mum) (ti' itimeC) (p' itimeC->pc_out) . 

NTH_TIME_TRUB n (ale_aig_ib p') 0 ti' »=> 

( SND ( l_hlda_0 (p' ti')) /\ ( (SND(X_male_0 (p' ti')) = LO) \/ 

( SND ( X_rale_0 (p' ti')) = LO) \/ 

( SND ( l_cale_0 (p' ti')) » F)))"), 

XNDUCT_TAC 

THEN REWRITE_TAC [NTH_TIMB_TRUE ; STABLE_FALSE_THBN_TRUE ; ale_B ig_ib ; BSel ) 

THEN BETA.TAC 

THEN REPEAT STRXP_TAC 

THEN ASM_REWRITE_TAC ( ] 

THEN RES.TAC 

);; 

let PB_REQUBST_ASSUMPS a TAC_PROOF 

(([], 

"! (pti iPTI) (a itimeT->pt_atate) (e t timeT->pt_env) (p itimeT->pt_out) 
(t ttimeT) (e' ttimeC->-pc_env) (p' ttimeC->pc_out) (tp' itimeC) . 
PT_Bxec pti a e p t «■> 
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PB_Slave pti a p t a' p' tp' ==> 

( !u' . LESS_THAN_N_TIMES_FALSE 

(VAL 1 ( SUBARRAY ( BSel ( L_ad_inE ( a ' tp' ) ) ) (1, 0) ) ) 

(bsig L_ready_0 p') tp' u' ==> 

STABLE_FALSE(ale_sig_pb e')(tp' + l,u'+l) ) ") , 

REPEAT STRIP_TAC 
THEN RBWRITE_ASSOM_TAC 

("PB_Slave pti a p t a' p' tp'", [EXPAND_LET_RULB PB_Slave] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN ASM_CASES_TAC 

" ( ! U ' . LESS_THAN_N_TIMBS_FALSE 

(VAL 1( SUBARRAY (BSel (L_ad_inB (a' tp' ) ) ) (1, 0) ) ) 

(bsig L_raady_0 p') tp' u' ■■> 

STABLE_FALSE(ale_sig_pb e')(tp' + l,u'+l))" 

THEN RES_TAC 

THEN ASM_RBWRITB_TAC [ ] 

THEN ASSUMB_TAC (prova_constructors_distinct pbmop) 

THEN ASSUMB_TAC (SYM_RULB (prove_constructors_distinct pbmop) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN XMP_RZS_TAC PBM_RBQUBST 
THBNL [ 

UNDISCH_TAC "PB_Opcoda_inE ( a (tttimeT)) = PBM_WriteLM" 

I 

UNDISCH_TAC "PB_Opcode_inE ( a (titimeT)) = PBM_WritePIU" 

I 

UNDXSCH_TAC "PB_Opcoda_inE (a (titimaT)) = PBM_WriteCB" 

J 

UNDISCH_TAC "PB_Opcode_inE ( a (titimaT)) = PBM_RaadLM" 

» 

UNDISCH_TAC "PB_Opcode_inE ( a (titimaT)) = PBM_ReadPIU" 

> 

UNDISCH_TAC "PB_Opcoda_inE ( a (titimaT)) <= PBM_RaadCB" 

] 

THEN ASM_REWRITE_TAC [ ] 

)>; 

let XB_RBADY _ASSUMPS = TAC_PROOF 

(([), 

"I (pti iPTX) (s itimaT->pt_stata) (a itimeT->pt_env) (p itimeT->pt_out) 

(t ttimaT) (a' itimeC->pe_anv) (p' i timec->po_out) (ti' itimeC) . 

PT_Bxec pti s a p t ««> 

XB_PMastar pti a p t a' p' ti' ==> 

(?U' . STABLB_TRUB_THEN_FALSB (bsig I_srdy_E a' ) (ti'+l,U' ) ) /\ 

( lu' * rdy_sig_ib a' p' u' =«> 

(?v'. STABLE_TRUB_THEN_FALSE (bsig I_srdy_B a') (u'+l,v' ) ) ) ") , 
REPEAT STRXP_TAC 
THEN IMP_RBS_TAC XBS_RBADY 
THBN IMP_RES_TAC IB_Opcode_ln_XSO 
THEN ASM_RBWRITB_AS S UM_T AC 

("IB_Opcoda_inE( (aitimeT->pt_anv) t) = XBS_Ready", []) 

THBN ASSUMB_TAC (prova_constructors_distinct ibsop) 

THEN IMP_RE S_TAC COND_FIRST_CHOICE 
THBN ASH_RBNRXTB_TAC[] 

THBNL [ 

EXISTS_TAC "U' ' itimeC" 

I 

EXISTS_TAC "V' ItimeC" 

] 

THBN ASM_RBWRITB_TAC [ ] 

)>; 

let IBA_READY_ASSUMPS « TAC_PROOF 

(( [], 

"1 (pti tPTX) (s itimeT->pt_state) (a itimeT->pt_env) (p itimeT->pt_out) 

(t ttimaT) (a' itimaC->pc_anv) (p' itimeC->pc_out) (t' itimeC) . 

PT_E5tec pti sept ==> 

XBA_PHaster pti e p t a' p' ==> 

((lu'. ?v'. STABLE_FALSB_THBN_TRUE (bsig X_hold_E a') (u',v')) /\ 

(lu'. CHANOES_FALSE (bsig l_crqt_0 p') u' ==> 

(?v' . (u' < V') /\ 

STABLE_TRUE_THEN_FALSE (bsig I_cgnt_E a') (u',v'))) /\ 
(lu'. BSel (l_crqt_0 (p' u')) ==> BSel ( I_cgnt_E (a' u'))) /\ 
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(lu'. -BSel ( I_cgnt_B (e' u')) 

(BSel(I_holdJ! (e' u')) /\ BSel (I_hold_E (e' (u'-l) )))))") , 

REPEAT STRIP_TAC 
THEM IMP_RBS_TAC IBAS_READY 
THEN IMP_RBS_TAC IBA_Opcode_ln_ISO 
THEN ASM_REWRITE_AS SUM_TAC 

("IBA_Opcode_inE( (eitimeT->pt_env) t) = IBAS_Ready", []) 

THEN ASSUMB_TAC (prove_constructors_distinct ibasop) 

THEN IMP_RES_TAC COND_FIRST_CHOICE 
THEN ASM_REWRITE_TAC [ ] 

THEN SPEC_ASSUM_TAC 

("!u‘. ?v' . S TABLB_PALSE_THEN_TRUE (bsiff I_hold_E e ' ) (u' , v' ) ", "u' i timeC") 
THEN CHOOSE_ASSUM_TAC "?v' . STABLE_FALSB_THBN_TRUB (baiff I_hold_E e' ) (u' ,v< ) " 
THEN EXXSTS_TAC "V' : timeC" 

THEN ASM_REWRITE_TAC [ ] 

) ;; 

let NOT_PA = TAC_PROOF 

(([], "! (X :pfam_ty) . -(x « PA) ==> ((X = PD) \/ (x = PH))"), 

INDUCT_THBN (prove_ Induct ion_thm pfam_ty_ Axiom) ASSUME_TAC 
THEN ASM_REWRITE_TAC [ ] 

) ;; 

let NOT_PD = TAC_PROOF 

(([], "1 (x ipfenuty) . -(x * PD) ==> ((x = PA) \/ (x = PH))"), 

INDUCT_THBN (prove_induction_thm pf am_ty_ J Axiom) ASSUME_TAC 
THEN ASH_REWRITE_TAC [ ] 

);; 

let NOT_PH - TAC_PROOF 

((!], "1 (x ipfenuty) . -(X = PH) ==> ( (x = PA) \/ (x = PD))"), 

INDUCT_THEN ( prove_induc t ion_thm pf am_ty_Axiom) ASSUME_TAC 
THEN ASM_REWRITE_TAC [] 

)>> 

let PA_IMP_NOT_PD * TAC_PROOF 

(([], 

"I (a :p£am_ty) . (a » PA) »«> -(a b PD)"), 

OEN_TAC 

THEN DISCH_TAC 

THEN ASM_REWRITE_TAC [prove_con8truotora_diatinot pf Bm_ty_Axiom] 

);; 

let PH_IMP_NOT_PD ■ TAC_PROOF 

( ( [], 

"1 (a :pfam_ty) . (a = PH) ==> -(a = PD)"), 

OEN_TAC 

THEN DISCH_TAC 

THEN ASH_REWRITE_TAC (prove_oonatructora_diatinct pf am_ty_Axiom] 

);; 

let PH_IMP_NOT_PA « TAC_PROOF 

(([], 

"1 (a ipfam_ty) . (a - PH) «■> -(a = PA)"), 

OEN_TAC 

THEN DISCH_TAC 

THEN ASM_REWRITE_TAC Iprove_conatructora_diatinct pf am_ty_Axiom] 
let NBXT_STATB_NOT_PA = TAC_PROOF 

( ( U, 

"! (a' itimeC->pc_atate) (e' : timeC ->pc_env) (t' i timeC) . 

-New_state_Ia_PA a' e' t' ==> 

(New_State_Xa_PD a' e' t' \/ New_State_Ia_PH a' e' t')"), 

RBWRITB_TAC [New_State_Xa_PA;New_State_Ia_PD>New_State_Ia_PH;NOT_PA] 

)l! 

let MEXT_STATB_NOT_PD = TAC_PROOF 

( ( [], 

"! (a' i timeC->po_atate) (e' itimeC->pc_env) (t' ! timeC) . 

-New_State_Xa_PD a' e' t' ==> 

(New_State_Ia_PA a' e' t' \/ New_State_Ia_PH a' e' t')"). 


85 



R2WRITB_TAC [New_State_Ia_PA; New_State_Is_PD> New_State_Is_PH; NOT_PD] 

);; 

let P_RQT_INIT = TAC_PROOP 

(<[], 

"1 (pti iPTI) (s' i timaC->po_atata) (a' :timeC->pc_env) (p' t timeC->po_out) 
(t' itimaC) . 

PCSet_Correct a' a' p' ==> 

BSal (RatB (a' t')) «■> 

-ale_aig_pb a' t' ==> 

~P_rqtS (a' (t'+l))"), 

RBWRITE_TAC [BSel;ala_aig_pb] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THEN UNDISCH_TAC "P_rqtS (a ' ( t ' + 1))" 

THEN IMP_RBS_TAC P_rqt_ISO 
THEN ASM_RBWRITE_TAC [ ] 

) ! I 

let P_FSM_RST_INIT = TAC_PROOF 

(([], 

"1 (pti iPTI) (a' itimeC->pc_atate) (a' itimeC->pc_aiiv) (p' t timeC->pc_out) 
(t' itimaC) . 

PCSet_Correct a' a' p' ==> 

BSal (RatB (a' t')) ==> 

P_£am_ratS (a' (t'+l))"), 

RSWRITE_TAC [BSal] 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC P_fi8m_rat_ISO 

THEN ASM_REWRITB_TAC [ ] 

)ll 

let P_FSM_STATB_INIT = TAC_PROOF 

(([], 

"1 (pti i PTI) (a itimaT->pt_atata) (a itimeT->pt_env) 

(p 1 1 imeT- >pt_out ) (t itimaT) (a' itimaC->pc_atate) (a' i timoC->pc_env) 
(p' itimaC->pc_out) (t' itimaC) . 

PCSet_Correct a' a' p' «> 

BSal (RatE (a' t')) ==> 

- (P_£anv_atataS (a' (t'+2)) = PD)"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC P_PSM_RST_INIT 

THEN UNDISCH_TAC "P_f am_atateS (a ' (t ' + 2)) = PD" 

THEN IMP_RBS_TAC 

( REWRITE_RDLE 

[ASSOC _ADD _ADD1;REDUCE_C0NV "1+1"] 

( SPBCL ["a' itimeC->pc_atate"/"e' itimaC->po_env"; "p' i t imeC - >pc_out " ; 
"t'+l"] (OBN_ALL P_f sm_state_ISO) ) ) 

THEN ASM_REWRITB_TAC [prova_conatructora_diatinct pf am_ty_Axiom] 

)»» 

let P_FSM_RST_FAI.SE = TAC_PROOF 

(([]. 

"1 (t' itimaC) (pti t PTI) (a i timaT->pt_atate) (a itimeT->pt_env) 

(p itimaT->pt_out) (t itimaT) (a' ttimaC->pc_atate) (a' itimeC->pc_env) 
(p' 1 1 imeC - >pc_out ) (tp' itimaC) . 

PCSet_Corract a' a' p' *«> 

PT_Exec pti a a p t ==> 

Rat_Slave pti eta' ==> 

(1 <* t') ■=> 

-P_£am_ratS (a' t ' ) " ) , 

REPEAT STRIP_TAC 

THEN IMP_RE S_TAC RST_FALSE 

THEN DNDISCH_TAC "P_£am_ratS (a ' (t ' ItimaC) ) " 

THEN IMP_RBS_TAC (SYM_RDLB (SPECL ["t ' itimaC"; "1"] SUB_ADD) ) 

THEN PCRE_ONCE_ASM_REWRITB_TAC [ ] 

THEN POP_ASSDM (\thm. ALL_TAC) 

THEN IMP_RES_TAC 

(SPECL t"a ' itimeC->pc_atate"; "a' itimaC->pc_env";"p' itimeC->-pc_out"> 
"t'-l"] (OEN_ALL P_£am_rst_ISO) ) 

THEN ASM_REWRITB_TAC [ ] 

);; 
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let I_CALB_XMP_I_CQNT » TAC_PROOF 

(([], 

"! (t' ttlmec) (pti :PTI) (s ttimeT->pt_state) (e i timeT->pt_env) 

(p i timeT->pt_out ) (t :tlmeT) (s' itimeC->pc_state) (e' i timeC->pc_env) 
(p' i timec->pc_out ) (ti' itimeC) . 

PCSet_Correct s' e' p' ==> 

~SND ( l_cale_0 (p' t')) ==> 

~SND(I_cgnt_E (e' t'))"), 

REPEAT OBN_TAC 
THEN DISCH_TAC 
THEN IMP_RES_TAC I_cale_XSO 
THEN ASM_REWRITE_TAC [ ] 

THEN DISCH_TAC 

THEN ASM_REWRITB_TAC [ ] 

)>> 

let IBUS_ALE_1MP_PA = TAC_PROOF 
Kill 

"PCSet_Correct s' e ' p ' ==> 
ale_sig_ib p' ti' =«> 

New_State_Is_PA s' e' ti'"), 

RBWRITE_TAC [New_State_Is_PA;ale_sig_ib;BSel] 

THEN BETA_TAC 

THEN DISCH_TAC 

THEN IMP_RES_TAC I_male_ISO 

THEN IMP_RES_TAC I_rale_XSO 

THEN IMP_RES_TAC I_cale_ISO 

THEN ASM_CASES_MATCH_RHS_TAC "PA" 

THEN IMP_RBS_TAC NOT_PA 
THEN ASM_REWRITE_TAC 

(WIRE ; SYM_RULE (prove_constructora_distinct p£sm_ty^Axiom) ; 
prove_constructors_distinct wire; 

SYM_RULE (prove_constructors_distinct wire) ] 

>;; 

let IBUS_ALB_IMP_NBW_P_RQT = TAC_PROOF 

(<[), 

"PCSet_Correct s' e' p' ==> 

PT_Exec pti sept ■>»> 

IBA_PMaster pti e p t •' p' ==> 
ale_sig_ib p' ti' ==> 

New_P_Rqt_Is_TRtJB s' e ' ti '" ) , 

REWRITE_TAC [ale_sig_ib;BSel] 

THEN BETA_TAC 

THEN ASM_CASES_TAC "New_P_Rqt_Is_TROE s' e ' ti'" 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ) 

THENL [ 

% Subgoal li [ "SND(I_male_0(p' ti')) = LO" ] % 

UNDISCH_TAC "SND(I_male_0(p' (ti' itimeC) ) ) = LO" 

THEN XMP_RE S_TAC I_male_ISO 
THEN REWRITB_ASSOM_TAC 

( " -New_P_Rqt_I s_TROE s' e' ti '", [New_P_Rqt_Is_TRUE;New_State_Is_PD] ) 
THEN ASM_RBWRITE_TAC 

[New_P_Rqt_Is_TRUE ; New_State_Is_PD; 

WIRE > SYM_RtJLB (prove_constructors_distinct pf sm_ty_Axiom) ; 
prove_construotors_distinot wire; 

SYMJRULB ( prove_cons tructors dist inct wire) ] 

THEN COND_CASBS_TAC 
THEN ASM_REWRITB_TAC 

[prove_cons true tor s_dist Inct wire ; 

SYMRULE (prove_constructors_distinct wire)] 

; 

% Subgoal 2i [ "SND(I_rale_0(p' ti')) = LO" ] % 

UNDISCH_TAC "SND(I_rale_0(p' (ti' itimeC) ) ) = LO" 

THEN IMP_RBS_TAC I_rale_ISO 
THEN REWRITE_ASSOM_TAC 

("~New_P_Rqt_Is_TRDE s' e' ti'", [New_P_Rqt_Is_TRUE;New_State_Is_PD] ) 
THEN ASM_RBWRITE_TAC 

[New_P_Rqt_Is_TRUE ; New_State_Is_PD; 

WIRE t SYM_RULE (prove_con.structors_distinot pf sm_ty_Axiom) ; 
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prove_constructors_distinct wire; 

SYM_RULE (prove_cona true tor s_distinct wire)] 

THEN COND_CASBS_TAC 
THEN ASM_REWRITB_TAC 

[prove_constructors_di8tinct wire; 

SYM_RULB (prove_constructors_distinct wire)] 

) 

% Subgoal 3i [ "~SND(X_cale_0(p' ti'))" ] % 

IMP_RBS_TAC (RKWRITE_RULE [BSol] IBA_READY_ASSUMPS ) 

THEN SPEC_ASSOM_TAC 

("lu' itimeC. SND ( l_crqt_0 ( p ' u')) ==> SND(I_ognt_E (e'~u' ) ) ", 

"ti' itimeC") 

THEN ONDISCH_TAC "~SND(I_cale_0(p' (ti ' I timeC) )) " 

THEN XMP_RB S„TAC I_crqt_ISO 

THEN SPBC_UNDISCH_MATCH_LHS_TAC ("l_crqt_0(p' (t : timeC) )", "ti ' I timeC") 

THEN REWRITB_ASSUM_TAC 

("~New_P_Rqt_Is_TROE s' e' ti'", [New_P_Rqt_Is_TROE;New_State_Is_PD] ) 
THEN ASM_RBWRITE_TAC[] 

THEN DISCH_TAC 
THEN RES_TAC 

THEN ONDISCH_TAC "SND(I_crqt_0(p' ti')) ==> SND ( I_cgnt_E ( e ' (ti' itimeC) )) " 
THEN ASM_RBWRITB_TAC[] 

THEN DXSCH_TAC 

THEN XMP_RES_TAC I_cale_ISO 

THEN ASM_REWRITE_TAC [ ] 

] 

);; 

let IBUS_ALE_IMP_FSM_RQT = TAC_PROOF 

(((], 

"I (t' itimeC) (pti tPTI) (s itimeT->pt_state) (e itimeT->pt_env) 

(p itimeT->pt_out) (t ttimeT) (s' itimeC->pc_state) (o' ;timeC->pc_env) 
(p' »timeC->pc_out) (ti' itimeC) . 

PCSet_Correct s' e' p' ==> 
ale_sig_ib p' ti' «■> 

PT_Bxec pti sept *=> 

IBA_PMast.er pti e p t e' p' ==> 

(P_fsm_mrqtS (s' (ti' +1)) \/ 

-P_f sm_erqt_S (s' (ti' +1)) /\ ~P_f sm_cgnt_S (s' (ti' + 1)))"), 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC ALB_SIQ_IB_TRUE 
THENL [ 

IMP_RBS_TAC IBUS_ALE_IMP_PA 

THEN RBWRITE_ASSUM_TAC ("New_State_Is_PA s' e' ti ' [New_State_Is_PA] ) 

THEN UNDISCH_TAC "SND ( l_male_0 ( (p' i timeC->po_out ) ti')) = LO" 

THEN IMP_RES_TAC P_f sm_mr qt_ISO 
THEN IMP_RES_TAC I_male_ISO 
THEN ASM_RBWRITB_TAC 

[WIRE ; COND_PALSE_TRDE ; COND_PALSE_CHOICES ; 
prove_constructors_distinct p£ sn\_ty_Axiom; 

SYM_RULE (prove_constructors_distinct pf sm_ty_Axiom) ] 

THEN AS S UME_ T AC (prove_construotors_distinct wire) 

THEN POP_ASSOM_LXST (MAP_EVERY (\thm. STRIP_ASSOME_TAC thm) ) 

THEN DISCH_TAC 

THEN IMP_RBS_TAC COND_SBCOND_CHOICB 

THEN POP_ASSOM_I,IST (MAP_BVERY (\thm. ASSUME__TAC ( REWRITE_RULE (] tbm) ) ) 
THEN ASM_REWRITE_TAC[] 

; 

IMP_RES_TAC IBUS_ALE_IMP_PA 

THEN REWRITE_ASSDM_TAC ( "New_State_Is_PA s ' e' ti ' ", [New_State_Is_PA] ) 

THEN UNDISCH_TAC "SND ( I_rale_0 ( (p' itimeC->pc_out) ti')) * DO" 

THEN IMP_RBS_TAC P_f sm_mrqt_ISO 
THEN IMP_RES_TAC I_rale_ISO 
THEN ASM_REWRITE_TAC 

[WIRE ; COND_FALSE_TROE ; COND_FAX,SB_CHOICES ; 
prove_constructors_distinct pf sm_ty_Axiom; 
sym_RDLE (prove_constructors_distinct pf snuty_Axiom) ] 

THEN AS S UME_T AC (prove_constructors_distinct wire) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASStJME_TAC thm)) 

THEN DISCH_TAC 

THEN IMP_RES_TAC COND_SECOND_CHOICE 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. ASSOME_TAC (RBWRITE_RULE [] thm))) 
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THEN ASM_RBWRITE_TAC [ ] 

I 

IMP_RBS_TAC (RBWRITE_RULB [BSel] IBA_READY_ASSUMPS ) 

THEN NRULB_ASSUM_TAC 

("!u'. SND(I_crqt_0(p' (u' : timec) ) ) ==> 

SND(I_egnt_E(e' (u' t timec) ) ) ", 

(CONTRAPOS o (SPEC "ti' i timeC") ) ) 

THEN POP_ASSOM_LIST (MAPJEVERY (\thm. ASSOME_TAC (REMRITE_RULE [] thro))) 
THEN IMP_RES_TAC I_CALE_IMP_I_CONT 
THEN RES_TAC 

THEN IMP_RES_TAC IBUS_ALE_IMP_PA 

THEN RBWRITE_ASSUM_TAC ( "New_State_Is_PA s' a' ti ' ", [New_State_Is_PA] ) 

THEN IMP_RES_TAC P_f sm_crqt_ISO 

THEN IMP_RBS_TAC P_f SBLCgnt_ISO 

THEN IMP_HBS_TAC I_eale_ISO 

THEN IMP_RES_TAC I_crqt_ISO 

THEN ONDISCH_TAC "-SND ( l_cal«_0 ( (p' : timeC->pc_out ) ti'))" 

THEN UNDISCH_TAC "-SND ( I_orqt_0 ( (p ' i tim«C->pc_out ) ti ' ) ) " 

THEN ASM_REWRITE_TAC 

[WIRE ; COND_FALSE_TRUB > COND_FALSE_CHOXCBS ; 
prove_constructors_distinct p £ sm_ty_ J Axiom> 

SYM_ROLB (prova_constructors_distinct pf sm_ty_Axioro) ] 

THEN DISCH_TAC 

THEN ASH_RBWRXTE_TAC [] 

] 

);» 

let P_RQT_UPTO_FIRST = TAC_PROOF 

(([]. 

" 1 (t' ttiroeC) (pti tPTI) (a itimeT->pt_state) (a itimeT->pt_env) 

(p itimeT->pt_out) (t ttimaT) (s' ttimeC->pc_stata) (a' itimeC->pc_anv) 
(p' itimaC->pc_out) (tp' ttimeC) . 

PCSet_Correet a' a' p' ««> 

NTH_TXME_TRUE 0 (ale_aig_pb a') 0 tp' ==> 

PT_Bxec pti sept =*> 

Rst_Slave pti ate' ==> 

PStataAbs pti septs' e'p' tp' ==> 

(t' <= tp') ==> 

~P_rqtS (s' t')"), 

INDUCT_TAC 
THENL [ 

% Subgoal li (t' Base Casa) % 

REWRITB_TAC [PStataAbs] 

THEN REDUCE_TAC 
THEN REPEAT STRXP_TAC 
THEN RBS_TAC 

) 

% subgoal 2i (t' Induction Step) % 

REPEAT STRXP_TAC 

THEN ASSUMB_TAC (SPBC "t'ltiroaC" LESS_EQ_SUC_RBFL) 

THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN IMP_RES_TAC ALE_SXO_PB_INXT_FALSE 
THEN IMP_RES_TAC OR.LBSS 
THEN RBS_TAC 

THEN UNDISCH_TAC "P_rqtS ( S ' ( SUC t'))" 

THEN IMP_RES_TAC P_rqt_ISO 

THEN ASM_RBWRITB_TAC [AUDI ; COND_TRDE_TRUE ) COND_FALSE_CHOICES ] 

] 

) n 

let ALE_SIQ_IB_FALSE_UPTO_FIRST « TAC_PROOF 

(([), 

"! (t' itiroaC) (s' itimaC->pc_stata) (a' :timeC->pc_env) (p' ! tiroeC- >pc_out) 
>pt_state) (a :timeT->pt_env) (p ttimeT->pt_out) (t itimeT) 

(pti iPTX) (tp' itiroaC) . 

PCSat_Corract s' a' p' ==> 

NTH_TIME_TRUE 0 (ale_sig_pb a') 0 tp' ==> 
tp' >0 ■«> 

PT_Exec pti sept ==> 

PStataAbs pti septs'e'p'tp' ==> 

Rst_Slave pti ate' =»> 

XBA_PMastar pti a p t a' p' ==> 


(s itimoT- 
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STABLE_FALSE (ale_sig_ib p ' ) <0,tp'-l)") 


REPEAT STRIP_TAC 

THEN IMP_RES_TAC P_RQT_UPTO_FIRST 

THEN UNDISCH_TAC "NTH_TIMB_TRUE 0 (ale_sig_pb e')0 tp'" 

THEN RBWRITE_TAC [NTH_TIMB_TRUB ; STABLE_FALSE_THEN_TRUE ; STABLE_FALSE ; 

ale_8 ig_pb ; ale_s ig_ib ; BSel; ZERO_LESS_BQ] 

THEN BETA_TAC 

THEN REPEAT STRXP_TAC 

THEN IMP_RES_TAC (RIMP ONB_LBSS_EQ) 

THEN IMP_RES_TAC ( REWRITE_RULE [PRE_SDB1] LE_PRE_IMP_LT ) 

THEN IMP_RHS_TAC LT_IMP_LE 

THEN SPBC_ASSUM_TAC ("It', t' <= tp' ==> ~P_rqtS(B' t ')", "t' ItimeC") 
THEN SPEC_ASSOM_TAC 

("It. t < tp' ==> - ( -SND ( L_ads_B ( e ' t)) /\ SND ( L_den_B ( e ' t)))" 
"t' itimeC") 

THEN RES_TAC 
TBBNL [ 

% Subgoal li "SND(I_male_0(p' t')) = LO" % 

ONDISCH_TAC "SND ( l_male_0 ( (p' itim«C->pc_out) t ' ) ) = LO" 

THEN IMP_RES_TAC I_male_ISO 

THEN ASM_RBWRITB_TAC ICOND_FALSE_TRDE ; COND_FALSE_CHOICES jWIRE] 

THEN ASM_CASES_MATCH_RHS_TAC "PH" 

THEN ASM_REWRITE_TAC [prove_constructorB_distinct wire; 

SYM_ROLE (prove_con8tructors_distinot wire)] 

1 

% Subgoal 2i "SND(I_rale_0(p' t')) = LO" Ss 
DNDISCH_TAC "SND(I_rale_0( (p' itimeC->pc_out) t')) = LO" 

THEN IMP_RES_TAC I_rale_ISO 

THEN ASM_RBWR I TE_TAC ( COND_FALSE_TRUB ; COND_FALSE_CHOICES ) WIRE ] 

THEN ASM_CASBS_MATCH_RHS_TAC "PH" 

THEN ASM_REWRITE_TAC [prove_constructor8_dietinct wire; 

SYM_RULE (prove_con8tructorB_distinot wire)] 

; 

% Subgoal 3i "-SND(I_oale_0(p' t'))" % 

UNDISCH_TAC "~SND ( I_oale_0 ( (p ' I timeC->pc_out ) t ' ) ) " 

THEN XMP_RES_TAC XBA_RBADY_ASSOMPS 
THEN NRtJLB_ASSUM_TAC 

("lu'itimeC. BSel(X_crqt_0(p' u')) ==> BSel(I_ognt_E(e' u'))" 
( (RBWRITE_RDLE [BSel] ) o (SPEC "t ' itimeC") ) ) 

THEN UNDXSCH_TAC "SND(X_crqt_0(p' (t'stimeC))) ==> SND ( I_cgnt_E ( e ' t 
THEN XMP_RES_TAC I_crqt_ISO 

THEN ASM_REWRXTB_TAC tCOND_TROE_TRDE ; COND_FALSE_CHOXCBS ] 

THEN DXSCH_TAC 

THEN XMP_RES_TAC I_cale_ISO 

THEN ASM_REWRXTE_TAC £ COND_FALSE_CHOICES ; COND_FALSE_TROE ] 

THEN ASM_RBHRXTB_TAC[] 

] 

);; 

let BXTRACT_ADDR «= TAC_PROOF 

(([], 

"SUBARRAY 

(HALTER 

(MALTBR 

(ALTER 

(ALTER 

(MALTBR 

ARBN 

(31,28) 

((~P_rqtS( ( b' itimeC->pc_atate) ti')) => FST ( L_be_E ( e ' ti')) 

I P_be_S ( 8 ' ti'))) 

27 

( (~P_rqtS(s ' ti')) »> FST ( L_wrB ( e ' ti')) I P_wrS(s' ti'))) 

26 

F) 

(25,24) 

(SUBARRAY 

((~P_rqtS(s' ti')) => 

SUBARRAY ( FST ( L_ad_iaE ( e ' ti')))(25,0) I 
P_addrS ( s ' ti')) 

( 1 , 0 ) ) ) 

(23,0) 
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(SUBARRAY 

((~P_rqtS(a' ti')) »> 

SUBARRAY ( PST ( L_ad_inE ( a ' ti')))(25,0) I 
P_addrS (a ' ti')) 

(25.2) )) 

(23,0) 

SUBARRAY 

<(-P_rqtS<B' ti')) => 

SUBARRAY (FST (L_ad_inE <e ' ti')))(25,0) I 
P_addrS(a' ti')) 

(25.2) ") , 

CONV_TAC (ONCE_.DBPTH_.CONV FUN_BQ_C0NV) 

THEN OEN_TAC 

THEN RBWRITE_TAC [ALTBR_THMjMALTBR_THM; SUBARRAY_THM ) ADD_CLAUSBSj ZBR0_LESS_EQ; 
C0ND_TRUB_TRUE ] 

THEN ASSUMB_TAC (SPEC "ns Hum" ZBRO_LESS_EQ ) 

THEN ASSUMB_TAC (SPEC "2" ZBRO_LESS_EQ) 

THEN IMP_RES_TAC (SPSCL ["asnum" ; "0" 1 "2"] ASS0C_SUB_ADD1) 

THEN ASM_REWRITE_TAC [SYMJRULB (SPECL ("mnum"; "23 "j "2") 

LESS_EQ_MONO_ADD_EQ) ] 

THEN REDUCB_TAC 

THEN RENRITB_TAC [COND_TRUB_TRUE J 
)ll 

let PRE_EXEC_PREC = TAC_PROOF 

(([], 

"! (t stimeT) (a itimeT->pt_atata) (e itimeT->pt_env) (p s t imeT - >pt„out ) 

(pti tPTI) . 

PT_PreC pti 8 e p (sue t) ■»> 

(TptiO. PT_Exee ptiO a e p t /\ PT_PreC ptiO a e p t)"), 

REWRITE_TAC [PT_PreC] 

THEN REPEAT STRIP_TAC 
THENL [ 

EXISTS_TAC "PT_Write" 

THEN ASM_RBWRITE_TAC [ ] 

; 

BXISTS_TAC "PT_Read" 

THEN ASM_RBWRITE_TAC [ ] 

1 

) ;; 

let PRBC = TAC_P ROOF 

(([], 

"i (t stimeT) (pti sPTI) 

(a stimeT- >pt_atate) (e stimeT->pt_eav) (p stimeT->pt_out) . 

PT_PreC pti a e p t =«:> 

- (PT_£anu»tateS (a t) = PD) /\ 

-PT_rqtS (a t ) " ) , 

INDUCT_TAC 

THEN RBWRITB_TAC [PT_PreC] 

THEN REPEAT STRIP_TAC 
THEN RES_TAC 

)n 

let ALE_SIO_IB_TRUE_ON_TP ' = TAC_PROOF 

(( U, 

" I (t stimeT) (pti s PTI) 

(a stimeT->pt_atate) (a stimeT->pt_env) (p stimeT->pt_out) 

(a' stimeC->pc_atate) (e' stimeC->pc_env) (p' stimeC->po_out) 

(tp' stimeC) . 

PCSet_Correct a' e' p' ==> 

NTH_TIMB_TRUE t (ale_aig_pb e') 0 tp' ==> 

FT_Exec pti sept ss> 

PT_PreC pti sept »=> 

PStateAba pti aepta' e'p' tp' ==> 

Rat_Slave pti e t e' ==> 

New_State_Ia_PA a' e' tp' ==> 

-ELEMENT (FST(L_ad_inB (e' tp'))) 31 — > 
ale_a ig_ib p ' tp ' " ) , 

REWRITB_TAC [New_Statte_Ia_PAjale_sia_ib;BSel] 

THEN BETA_TAC 
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THEN REPEAT STRIP_TAC 
THBNL [ 

% Subgoal li "SND ( X_hlda_0 (p ' tp'))" % 

IMP_RES_TAC I_hlda_ISO 
THEN ASM_REWR I TE_ T AC 

[ S YM_RULB (prova_constructora_distinct pf am_ty_Axiom) ] 

l 

% Subgoal 2t " (SND(I_mala_0(p' tp')) = LO) \/ 

( SND ( l_rale_0 (p ' tp')) = LO) \/ 

-SND ( l_cale_0 (p ' tp ' ) ) " % 

IMP_RBS_TAC PREC 

THEN 1MP_RES_TAC RST_FALSB 

THEN XMP_RKS_TAC NTH_ALB_SXO_PB_TRUE 

THEN SPBC_ASSUM_TAC ("!u'. SND(RatE(e' (U' ttimeC) ) ) = F", "tp' ttimeC") 
THEN ASM_RBWRITB_ASSUM_TAC 

("PStataAba pti a a p t a' a' p' tp'", [PStataAba] ) 

THEN POP_ASSOM_LIST (MAP_EVERY ( \thm. STRIP_ASSUME_TAC thm) ) 

THEN IMP_RES_TAC I_male_ISO 
THEN IMP_RES_TAC I_rala_ISO 
THEN ASSUME_TAC (SPEC "25" LESS_BQ_REFL) 

THEN ASM_CASES_TAC "tp' >0" 

THBNL [ 

% Subgoal 2. It "tp'>0" % 

RBS_TAC 

THEN IMP_RES_TAC 

(ISPEC "FST ( L_ad_inE ( a ' (tp' ttimeC) ) ) " SUB_SUBARRAY) 

THEN ASM_REWRITE_TAC 

[HIRE; SYM_ROLB (prove_oonstruotors_diatinct pf sm_ty_Axiom) ; 
prova_constructor8_dlatinct pf am_ty_Axiom] 

THEN ASN_CASBS_TAC 

"SUBARRAY (FST (L_ad_inE (a ' (tp' ttimeC) ))) (25, 24) = WORDN 1 3" 

) 

% subgoal 2.2t "~tp'>0" % 

REWRITB_ASSUM_TAC ("-tp' > 0", [SYM_RULE NOT_EQ_ZERO] ) 

THEN IHP_RBS_TAC 

(ISPEC "FST ( L_ad_inB ( a ' 0))" SUB_SUBARRAY ) 

THEN ASH_RENRITB_TAC 

[WIRB;SYM_RULB(prove_con8truotora_diatinot pf sm_ty_Axiom) ; 
prove_conatructora_diatinct pfam_ty_Axiom] 

THEN ASM_CASBS_TAC 

"SUBARRAY (FST ( L_ad_inE ( a ' 0) ) ) (25,24) = WORDN 1 3" 

] 

THEN ASH_REWRITE_TAC [prova_conatructor8_dlatlnct wire] 

1 

)n 

let P_RQT_PREVENTS_NEW_STATE_PD « TAC_PROOF 

(([], 

"1 (a' t timaC->pc_atate) (e' i t imaC - >pc_anv ) (p' :timaC->pe_out) 

(t' ttimeC) . 

PCSat_Corract a' a' p' ==■> 

- (P_f am_»tataS (a' t') = PD) ==> 

-P_rqts (a' t') ==> 

(t' > 0) ■=> 

-Naw_Stata_Ia_PD a' a' t'"), 

REWRITE_TAC (SYM_RULE ONB_LBSS_EQ] 

THEN REPEAT STRIP_TAC 

THEN UNDISCH_TAC "Naw_State_Ia_PD a' e' t'" 

THEN RBWRITB_TAC (New_State_Ia_PD] 

THEN ASM_CASES_TAC "P_f anuratS ( a ' ( t ' t timeC ) ) " 

THEN IMP_RES_TAC NOT_PD 

THEN ASM_REWRITB_TAC (prove_conatruotora_di8tinct pf 8m_ty_Axiom) 

SYM_RULE (prove_oonatructora_diatinct pf sm_ty_Axiom) ] 

THBNL [ 

IMP_RES_TAC SUB_ADD 

THEN IMP_RBS_TAC P_f am_mrqt_ISO 

THEN SPEC_UNDISCH_MATCH_LHS_TAC ("P_f sm_nrqtS (a' (t + l))","t'-l") 

THEN IMP_RE S_TAC P_f am_crqt_ISO 

THEN SPEC_UNDISCH_MATCH_LHS_TAC ("P_f am_crqt_S ( a ' (t + l))","t'-l") 

THEN IMP_RES_TAC (SYM_RULB P_rqt_ISO) 

THEN SPEC_UNDISCH_MATCH_RHS_TAC ("P_rqtS(a' (t + l))","t'-l") 

THEN ASH_REWRITE_TAC[] 
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THEN DISCH_TAC 

THEN ASM_REWRITB_TAC [ ] 

THEN DISCH_TAC 
THEN DISCH_TAC 
THEN ASM_REWRITB_TAC U 

THEN ASM_CASBS_TAC " ( ~P_f 8m_hold_S ( s ' (t'itimeC)) A P_f am_lock_S (s ' t'))" THEN ASM_- 

REWRITB_TAC [prove_conatructors_diBtinct pf am_ty_Axiom] 

; 

ASM_CASBS_TAC "P_f8m_hold_S (s' (t ' ! timeC) ) " 

THEN ASM_REWRITB_TAC [prove_con8tructora_diBtinct pf sm_ty_Axiom] 

] 

) J l 

lot NOT_IBUS_ALB_IMP_NOT_FSM_RQT = TAC_PROOF 

(([], 

"! (t' itimeC) (pti iPTX) 

(8 s timeT->pt_atata ) (a : timeT->pt_onv) (p itimoT->pt_out) (t stimeT) 

(8' : timoC ->po_8 tat o) (o' : t ime C - >pc_env ) (p' i timoC - >pc_out ) . 

PCS«t_Corr«ct 8' o' p' ==> 

PT_Bxoc pti 8 o p t «=> 

IBA_PMaator pti a p t o' p' ==> 

Now_Stato_l8_PA e' o' t' ==> 

~al«_aig_ib p' t' ==> 

~(P_fam_mrqtS(8' (t' +1)) \/ 

~P_f am_crqt_S (s ' (t ' +1)) A ~P_f sm_cgnt_S (s ' (t ' + 1)))"), 

REWRITB_TAC [alo_8ig_ib> BSol] 

THEN BBTA_TAC 

THEN REWRITE_TAC [DB_M0RQAN_THM] 

THEN REPEAT STRXP_TAC 
THBNL [ 

% Subgoal li t "~SND(I_hlda_0(p' t ' ) ) " ] 

[ "P_fam_mrqtS(a' (t' + 1))" ] % 

REWRITB_ASSUM_TAC ("Now_Stato_l8_PA 8' e' t [Now_Stato_Xs_PA] ) 

THEN 0NDISCH_TAC "~SND(I_hlda_0(p' (t ' : timoC) ) ) " 

THEN IMP_RES_TAC I_hlda_ISO 
THEN ASM_RBWRITE_TAC 

[ SYM_RULE (provo_constructora_diatinct p£ anuty_ Axiom) ] 
l 

% Subgoal 2: "P_£am_crqt_S(8' (t' +1)) \/ P_£sm_cgnt_S (s ' (t ' + 1))'' 

£ "~SND ( l_hlda_0 (p ' t'))" ] % 

RBWRITE_ASSUM_TAC ( "Now_Stato_l8_PA 8' o' t ' [Naw_State_Is_PA] ) 

THEN DNDISCH_TAC "-SND ( l_hlda_0 (p ' ( t ' t timoC ) ) ) " 

THEN IMP_RES_TAC I_hlda_ISO 
THEN ASM_REWRITB_TAC 

[SYM_RULE (prove_constructor8_dlatinct pf sm_ty_Axiom) J 
l 

% Subgoal 3i [ "~ (SND(I_malo_0(p' t ' ) ) = LO)" ] 

[ (SND (X_ralo_0(p ' t')) = LO)" ] 

I "SND ( l_calo_0 (p ' t'))" ] 

[ "P_fam_mrqts (a ' (t ' + 1))" ] % 

UNDISCH_TAC "P_f 8ia_mrqtS (a ' (t ' + 1))" 

THEN IMP_RBS_TAC P_f amjnrqt_ISO 

THEN REWRITH_ASSOM_TAC ("Naw_Stato_X8_PA 8' o' t ' ", [New_Stato_Is_PA] ) 

THEN ASM_RBWRITB_TAC [prov8_conatructora_diatinct p£ sm_ty_Axiom) 

THEN STRIP_TAC 

THEN 0NDISCH_TAC (SND ( l_malo_0 (p ' ( t ' 1 timoC) ) ) = LO) " 

THEN IMP_RBS_TAC I_malo_ISO 
THEN ASM_REWRITB_TAC 

[SYM_RULB (provo_conatruotor8_diatinot pf Bm_ty_ J Axiom) ; 
provo_cona tructora_dia t inct pf am_ty_Axiom/ WIRE ] 

THEN COND_CASES_TAC 

THEN UNDXSCH_TAC (SND (l_ralo_0 (p ' (t'ttimeC))) = LO)" 

THEN IMP_RBS_TAC I_ralo_ISO 
THEN ASM_RBWRITB_TAC 

£SYM_RULE (provo_conBtructor8_di8tinct pf sm_ty_Axiom) ; 
provo_con8truotors_distinot p£sm_ty_Axiom;WIRE] 
t 

% Subgoal 4t "P_f aia_crqt_S (a ' (t ' + 1)) \/ P_f sm_ognt_S (s ' (t ' + 1))" 
t "~ !SND(I_malo_0(p' t')) = LO)" ] 
t "- !SND(I_ralo_0(p' t ' ) ) - LO)" ] 

[ "SND (l_calo_0 <p' t ' ) > " ] % 

UNDISCH_TAC "SND (l_oalo_0(p ' (t ' i timoC) )) " 
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THEN IMP_RBS_TAC I_oala_ISO 

THEN REWRITE_ASSUM_TAC ( "New_Stat«_Is_PA a' e' t , tNew_State_Is_PA] ) 

THEN ASM_RBWRITB_TAC [ ] 

THEN IMP_RES_TAC ( REWRITE_RULE [BSel] IBA_READY_ASSUMPS ) 

THEN ASM_CASBS_TAC " -SND ( I_cgnt_E ( a ' (t'ltimeC))) /\ SND ( I_hold_E ( a ' t'))" 
THEN ASM_RBWRITB_TAC [DE_MOROAN_THM] 

THEN REPEAT STRIP_TAC 
THEN NROLE_ASSUM_TAC 

("lu'. -SND ( I_cgnt_E ( e ' (u'ltimeC))) ==> SND ( I_hold_B ( a ' u'))", 

( (REWRITS_RULE []) o CONTRAPOS o (SPEC "t ' ttimeC") ) ) 

THEN RBS_TAC 

THEN IMP_RBS_TAC P_£sm_cant_ISO 
THEN ASM_RBWRITB_TAC [ ] 

] 

) ; j 

let NOT_IBtJS_ALB_PREVENTS_NBW_STATE_PD = TAC_PROOP 

<(£], 

"1 (t' itimeC) (t itimeT) (pti sPTI) 

(a i tlmeT->pt_atata) (a itimeT->pt_env) (p !timeT->pt_out) 

(a' :timaC->pc_state) (a' i timeC->pc_env) (p' stimeC->pc_out) 

(tp' ttimeC) . 

PCSat_Corraot s' a' p' «==> 

PT_Exac pti a a p t *==> 

IBA_PMaatar pti a p t a' p' ==> 

~Naw_State_Ia_PD a' a' t' *=> 

~ale_aig_ib p' t ' ==> 

-New_Stata_Ia_PD a' a' (t'+l)"), 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC NEXT_STATB_NOT_PD 

THEN IMP_RBS_TAC NOT_IBOS_ALE_XMP_NOT_PSM_RQT 

THEN ONDISCH_TAC "Naw_Stata_Ia_PD a' e'(t' + 1)” 

THEN RBWRITE_TAC [Naw_Stata_Ia_PD] 

THEN IMP_RES_TAC P_f 8m_«tata_IS0 

THEN SPBC_ONDISCHJMATCH_LHS_TAC ( "P_f am_atataS ( a ' (t + 1) ) ", "t ' itimeC") 

THEN ASM_REWRITB_TAC [ ] 

THEN DISCH_TAC 

THEN ASM_REWRITE_TAC [SYM_RULE (prova_conBtructors_diatinct p£am_ty_Axiom) ] 
THBNL [ 

% Subgoal 1: [ "new atata = PA" ] % 

REWRITE_ASStJM_TAC ( "Naw_State_Ia_PA a ' a' t ' ", [New_Stata_Ia_PA] ) 

; 

% Subgoal 2i [ "new atata = PH" ]% 

REWRITB_ASStJM_TAC ( "Naw_Stata_Ia_PH a' a' t ' ", [New_State_Ia_PH] ) 

1 

THEN COND_CASBS_TAC 
THEN ASM_REWRITE_TAC 

[SYH_RHbE (prova_conBtructora_di8tinet pfam_ty_ Axiom) ; 
prova_conatructora_diatinot p£am_ty_Axiom] 

THEN COND_CASES_TAC 
THEN ASM_REWR I TB_TAC 

[SYM—HULE (prove_couatructora_diatinct pf am 1 _ty_Axiom) ; 
prova_conatructors_dietliict p£am_ty_Axiom] 

THEN COND_CASES_TAC 
THEN ASM_REWRITB_TAC 

[SYM_ROLE (prova_conatructor8_diatinct p£am_ty_Axiom) ; 
prova_coastruotora_diatinct p£sm_ty_Axiom] 

);; 

let SUB_STABLE_FALSB = TAC_PROOF 

(([], 

"1 (f :tima->bool) (tl t2 t3 itlme) . 

STABLE_FALSE f (tl,t2) ==> 

(t3 <= t2 ) =«=> 

(tl <= t3) *=> 

STABLE_FALSB £ (tl,t3)"), 

REWRITE_TAC ISTABLB_FALSE] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC[] 

THEN SPBC_ASSDM_TAC ("It. tl <= t /\ t <= t2 «■> ~£ t", "t i tiraaC") 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 
THEN RES_TAC 
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(p' itimeC->pc_out) . 


) I I 

let IBUS_ALB_TRUB_IMP_NEW_STATE_PA = TAC_PROOF 

(([], 

"I (t' itimeC) (s' itimeC->pc_state) (e' : timeC->pc_env) 

PCSet_Correct s' e' p' ==> 
ale_aig_ib p' t ' 

New_State_Is_PA s' e ' t ' " ) , 

REWRXTE_TAC [ale_aig_ib;BSel;New_State_Is_PA] 

THEN BETA_TAC 
THEN REPEAT QEN_TAC 
THEN DISCH_TAC 
THEN IMP_RES_TAC I_male_ISO 
THEN IMF_RBS_TAC X_rale_ISO 
THEN IMP_RES_TAC I_cale_ISO 
THEN ASM_CASBS_MATCH_RHS_TAC "PA" 

THEN IMP_RES_TAC NOT_PA 
THEN ASM_RBWRITE_TAC 

[HIRE j SXM_RULE (prove_constructor s_dist inct p£ sm_ty _Axiom) > 
prove_constructors_distinct wire; 

SYM_RULE (prove_constructors_distinct wire)] 

) n 

let OFFSET_IBUS_ALE_FALSE_PRBVENTS_NBW_STATE_PD = TAC_PROOF 

(<[], 

"I (u' itimeC) (t itimeT) (pti tPTI) 

(a itimeT->pt_atate) (e itimeT- >pt_env) (p :timeT->pt_out) 

(s' itimeC->pc_8tate) (e‘ i timeC ->pc_env) (p' :timeC->pc_out) 

(tp' itimeC) (ti'' itimeC) . 

PCSet_Correct 8 ' e ' p ' ==> 

NTH_TIME_TRUE t (ale_sig_pb e') 0 tp' ==> 

(tp' > 0) ■=> 

PT_Bxec pti sept ==> 

PT_PreC pti sept *=> 

PStateAbs pti s e p t s' e' p' tp' ==> 

Rst_Slave pti e t e' i» 

IBA_PMaster pti e p t e' p' ==> 

STABLE_FALSE ( ale_8 iff_ib p ' ) ( tp ' , ( tp ' +u ' ) ) ==> 

((tp'+u') <= ti'') ==> 

~New_State_Is_PD s' e ' ( tp ' +u ' ) " ) , 

REWRI TE_TAC [PStateAbs 1 

THEN INDOCT_TAC 

THEN REHRITE_TAC [ADD_CLAUSBS ] 

THEN REPEAT STRIP_TAC 
THBNL [ 

% Subgoal It (Base Case) % 

ONDISCHLTAC "New_State_Is_PD s' e' tp'" 

THEN IMP_RE S_TAC PREC 
THEN RBS_TAC 

THEN ASMJEWRITE__ASSUM_TAC 

( "P_rqtS ( s ' (tp' itimeC) ) = PT_rqtS(s (t itimeT) )",[] ) 

THEN IMP_RBS_TAC (SPEC "PT_f sm_stateS (s (titimeT))" NOT_PD) 

THEN ASM_REWRXTB_ASSUM_TAC 

("P_£sm_stateS(s ' (tp'itimeC)) = PT_f sm_stateS (s (t itimeT) )",[] ) 
THEN IMP_RES_TAC PA_IMP_NOT_PD 
THEN IMP_RBS_TAC PH_IMP_NOT_PD 
THEN IMP_RES_TAC P_RQT_PRBVBNTS_NBW_STATE_PD 

1 

% Subgoal 2t (Induction Step) % 

ASSUME_TAC (SPEC "tp'+U'" LESS_BQ_SDC_RBFL) 

THEN IMP_RBS_TAC LESS_EQ_TRANS 

THEN ASSUME_TAC (SPECL ("tp ' I timeC" j "U ' I timeC"] LESS_EQ_ADD ) 

THEN IMP_RES_TAC SUB_STABLE_FALSE 

THEN RES_TAC 

THEN NROLE_ASSUM_TAC 

("STABLE_FALSB(ale_sig_ib p')(tp',tp' + u')", 

(BBTA_ROLB o (RBWRITB_RULE [STABLE_FALSE] ) ) ) 

THEN ASSUMB_TAC (SPEC "tp'+U"' LBSS_EQ_REFL) 

THEN RBS_TAC 
THEN IMP_RES_TAC 

(RBWRITE_R0LE [SYM_RULE ADD1] NOT_IBUS_ALE_PREVENTS_NBW_STATE_PD) 

1 
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let IBUS_ALE_FALSB_PREVBNTS_NBW_STATE_PD = TAC_PROOF 

(([], 

"1 (t' itlmeC) (t ttimeT) (pti iPTI) 

(s itimeT->pt_state) (e i timeT->pt_env) (p itimeT->pt_out) 

(s' itlmeC->pc_state) (e' itlmeC->pc_env) (p' itimeC->pc_out) 
(tp' itimeC) (ti'' itlmeC) . 

PCSet_Correot s' e' p' ==> 

NTH_TXME_TRUB t (ale_sig_pb s') 0 tp' ==> 

(tp' > 0) ==> 

PT_Bzec ptl sept ==> 

PT_PreC pti sept ==> 

PStateAbs pti s e p t s' e' p' tp' ==> 

Rst_Slave pti e t e' ==> 

IBA_PMaster pti e p t e' p' ==> 

STABIiE_FALSE (ale_sig_ib p') (tp',ti") ==> 

(tp' <= t ' ) ==> 

(t' <= ti' ') »> 


~New_St at e_I s_PD a' e' t'"), 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC (SPEC "t'-tp'" OFFSET_IBUS_ALB_FALSE_PREVENTS_NEW_STATB_PD) 
THEN SPECL_ASSUM_TAC 
("It' tp'". 

STABLB_FALSE (ala_aig_ib p') (tp'.tp' + (t' - tp'")) ==> 

( Iti" . (tp' + (t' - tp'")) <= ti" ==> 

-New_State_Is_PD s' e'(tp' + (t' - tp" ')))", 

["t' itimeC"; "tp' itimeC"] ) 

THEN IMP_RBS_TAC 

(SPECL t"t' itimeC";"tp' itimeC"] 

( PORE_ONCE_REHRITE_RUIiE [ADD_SYM] SUB_ADD) ) 

THEN ASM_REWRITB_ASSUM_TAC 

( "STABLE_FALSE (ale_sig_ib p') (tp'/tp' + (t' - tp')) *=> 

( !ti" . (tp' + (t' - tp')) <- ti" ==> 

-New_State_Is_PD s' e'(tp' + (t' - tp')))",U) 

THEN XMP_RES_TAC SUB_STABLE_FALSE 

THEN RES_TAC 

THEN SPBC_ASSDM_TAC 

("Iti". (tp' + (t' - tp')) <= ti" b» 

-New_State_Is_PD s' e'(tp' + (t' - tp' ) ) ", "ti" i timeC") 
THEN ASM_RBWRITE_ASSOM_TAC 

("(tp' + (t' - tp')) <= ti" ==> 

~New_St at e_I s_PD s' e'(tp' + (t' - tp'))",[]) 

);; 


let OFFSET_NEW_STATE_PD_FALSE_FROM_TP ' _TO_TI ' = TAC_PROOF 

(([], 

"1 (u' itimeC) (t itimeT) (pti iPTI) 

(s i timeT - >pt state) (e itimeT->pt_env) (p i timeT->pt_out) 

(s' itimeC->pc_state) (e' t timeC ->pc_env) (p' itimeC->pc_out) 

(tp' itimeC) (ti' itimeC) . 

PCSet_Correct s' e' p' ««> 

NTH_TIME_TROB t (ale_sig_pb e') 0 tp' «=> 

(tp' > 0) »»> 

PT_Exec pti s e p t ==> 

PT_PreC pti sept »■> 

PStateAbs pti s e p t s' e' p' tp' ==> 

Rst_Slave pti e t e ' ==> 

IBA_PMaster pti e p t e' p’ ==> 

STABLE_FALSE (ale_sig_ib p') (tp',ti'-l) ==> 

((tp’+U') <* ti') ==> 

-New_State_Is_PD s' e' (tp'+u')"), 

REPEAT STRIP_TAC 

THEN ASM_CASES_TAC "ale_sig_ib p' (tp'+u')" 

THBNL [ 

% Subgoal li [ "ale_sig_ib p' (tp' + u')" ] % 

IMP__RES_TAC IBUS_ALE_TRUE_1MP_NEW_STATE_PA 

THEN REWRITE_ASSCH_TAC ( "New_State_Is_PD s' e ' (tp'+u')", [New_State_Is_PD] ) 
THEN REWRITB_ASSUM_TAC("New_State_IsJPA s' e' (tp'+u' )", [New_State_Xs_PA] ) 
THEN IMP_RBS_TAC PA_IMP_NOT_PD 


% Subgoal 2i [ "~ale_sig_ib p' (tp' + u')" ] % 



RBWRITE_ASSUM_TAC ( " ( tp ' +U ' ) < = t i ' " , [ LESS_OR_EQ ] ) 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THENL [ 

% Subgoal 2.1s [ "(tp'+u') < ti'" 3 % 

SUBQOAL_THEN "STABLB_FALSE ( ale_sig_ib p ' ) ( tp ' , tp ' +U ' ) " ASSUME_TAC 
THENL [ 

% Subgoal 2.1.1s (New eubgoal) % 

UNDISCH_TAC "STABLE_FALSB (ale_sig_ib p')(tp',ti' - 1)" 

THEN ASM_RBWRITB_TAC [ STABLE_FALSE ] 

THEN REPEAT STRIP_TAC 

THEN REWRXTB_TAC [LBSS_EQ_ADD] 

THEN IMP_RBS_TAC SOB_LBSS_OR 
THEN XMP_RBS_TAC LESS_BQ_TRANS 
THEN RES_TAC 

; 

% Subgoal 2.1.2 % 

ASSDME_TAC (SPEC "tp'+U"' LESS_EQ_REFL) 

THEN IMP_RKS_TAC 

(SPEC "tp' itimeC" OFFSET_IBUS_ALE_FALSE_PRBVENTS_NEW_STATE_PD) 


% Subgoal 2.2s [ "t* = ti'" 3 % 

SUBOOAL_THEN "STABLB_FALSE (ale_sig_ib p') (tp ' , tp ' +U' ) " ASSUME_TAC 
THENL [ 

% Subgoal 2.2.1: (New subgoal) % 

UNDISCH_TAC "STABLE_FALSE (ale_sig_ib p ' ) (tp' , ti ' - 1)" 

THEN ASM_RBWRITE_ASSUM_TAC ("-ale_sig_ib p' (tp'+U' )",[] ) 

THEN ASM_REWRITE_TAC[STABLB_FALSE] 

THEN REPEAT STRIP_TAC 
THENL [ 

ASSDMB_TAC (SPBCL ["ti ' s timeC"; "1"] SUB_LESS_EQ) 

THEN IMP_RES_TAC LESS_EQ_TRANS 

> 

REWRITE_ASSUM_TAC ( "t ' <= ti ' [LESS_0R_EQ3 ) 

THEN POP_ASSOM_LXST (MAP_EVERY (\thns. STRIP_ASSUMB_TAC thm)) 
THENL [ 

XMP_RES_TAC StJB_LESS_OR 
THEN RBS_TAC 
I 

ONDISCH_TAC "ale_sig_ib p' t'« 

THEN ASM_REWRITE_TAC [ 3 
3 
3 


3 

)>; 


% Subgoal 2.2.2 % 

ASSOME_TAC (SPEC "tp'+u"' LESS_BQ_RBFL ) 

THEN ASSOME_TAC (SPBCL ["tp' :timeC"; "u' itimeC"] LESS_EQ_ADD) 
THEN IMP_RES_TAC 

(SPEC "tp'+u"' IBUS_ALE_FALSE_PRBVBNTS_NEW_STATE_PD) 


let NEW_STATE_PD_FALSE_FROM_TP ' _TO_TI ' = TAC_PROOF 

(([3, 

"1 (t' s timeC) (t itimeT) (pti :PTI) 

(s :timeT->pt_state) (e :tiraeT->pt_env) (p stimeT->pt_out) 

(s' :timeC->pc_state) (e' s timeC ->pc_env) (p' :timeC->pc_out) 
(tp' stimeC) (ti' itimeC) . 

PCSet_Correct s' e' p' s==> 

NTH_TIMB_TRUB t (ale_sig_pb e') 0 tp' »=> 

(tp' > 0) *«> 

PT_Exeo pti sept ==> 

PT_PreC pti sept ==> 

PStateAbs pti s e p t s' e' p' tp' ==> 

Rst_Slave pti e t e' ==> 

IBA_PMaster pti e p t e' p' ==> 

STABLE_FALSE (ale_sig_ib p' ) (tp',ti'-l) ==> 
(tp' <« t') «s*> 

(t ' <* ti ' ) K®> 

~New_St at e_I s_PD s' e' t'"). 
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REPEAT STRIP_TAC 

THEN ASM_CASBS_TAC "ale_sig_ib p' t" 

THBNL [ 

% Subgoal li [ "ale_aig_ib p' t ' " ] % 

IMP_HBS_TAC IBUS_ALB_TRtJB_IMP_NBW_STATB_PA 

THEM RBWRITB_ASSOM_TAC ("New_Stata_Xs_PD s' e' t ' ", [New_State_Is_PD] ) 
THEN RBWRITB_ASSUM_TAC ("New_State_Is_PA s' e' t , [New_State_Xs_PA] ) 
THEN IMP_RBS_TAC PA_IMP_NOT_PD 

; 

% Subgoal 2: [ "~ale_sig_ib p' t ' " ] % 

RBWRITE_ASSUM_TAC ("t' <= ti '", [LESS_0R_EQ3 ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THBNL [ 

% Subgoal 2.1: [ "t' < ti'" ] % 

SDBOOAL_THEN "STABLB_FALSE (ala_sig_ib p') (tp',t')» ASSUME_TAC 
THBNL ( 

% Subgoal 2.1.1: (Naw subgoal) % 

UNDISCH_TAC "STABLE_FALSB ( ale_a ig_ib p')(tp',ti' - 1)" 

THEN ASH_REWRITE_TAC [ STABLE_FALSE ] 

THEN REPEAT STRIP_TAC 
THEN IMP_RBS_TAC SOB_LESS_OR 
THEN IMP_RBS_TAC LESS_EQ_TRANS 
THEN RES_TAC 
I 

% Subgoal 2.1.2 % 

ASSTJME_TAC (SPEC "tMtimaC" LES S_BQ_REF L ) 

THEN IMP_RES_TAC 

(SPEC "t' : timaC" IBUS_ALE_FALSE_PREVENTS_NEW_STATE_PD ) 

3 

t 

% Subgoal 2.2: [ "t< « ti'" ] % 

SDBQOAL_THEN "STABLB_FALSE (ale_sig_ib p') (tp'.t')" ASSUME_TAC 

THBNL [ 

% Subgoal 2.2.1: (New subgoal) % 

ONDISCH_TAC "STABLB_FALSE(ale_sig_ib p' ) (tp' ,ti' - 1)" 

THEN ASM_RBWRITE_ASSUM_TAC ("~ale_sig_ib p' t ' " , t ] ) 

THEN ASM_REWRITE_TAC [ STABLE_FALSE ] 

THEN REPBAT STRIP_TAC 
THBNL [ 

ASM_JREWRITB_ASSUM_TAC ("tp' <= t '",[]) 

; 

RBWR I TB_AS S UM_ TAC ("t" <= ti'", [ LESS_OR_EQ] ) 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thin)) 
THBNL [ 

IMP_RBS_TAC SUB_LESS_OR 
THEN RES_TAC 
I 

ONDISCH_TAC "ale_aig_ib p' t"» 

THEN ASM_RBWRITE_TAC [ ] 

3 

3 

/ 

% Subgoal 2.2.2 % 

ASSUMB_TAC (SPEC "t':timec" LESS_EQ_REFL) 

THEN IMP_RBS_TAC 

(SPEC "t': timaC" IBUS_ALB_FALSE_PREVBNTS_NEW_STATE_PD) 

3 

3 

3 

)»; 

let OFFSBT_NEW_P_RQT_TRtJB_FROM_TP'_TO_TI' = TAC_PROOF 

(((], 

"! (u' itimaC) (t : timeT) (pti :PTI) 

(a :timaT->pt_atata) (a :timaT->pt_env) (p :timeT->pt_out) 

(s' :timeC->pc_state) (s' :timeC->pc_env) (p' :timeC->pc_out) 

(tp' ttimeC) (ti' :timeC) . 

PCSet_Correct s' a' p' ■■> 

NTH_TXMB_TRUE t (ala_sig_pb a') 0 tp' ==> 

(tp' > 0) ««> 

PT_Exec pti sept =*> 
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PT_PreC pti a e p t ==> 

PStateAbs pti aepts'e'p'tp' ==> 

Rst_Slave pti ate' ==> 

IBA_PMaater pti a p t a' p' ==> 

STABLE_FALSE (ale_sig_ib p' ) (tp' , (ti' -1) ) ==> 

((tp'+u') <= ti') ==> 

New_P_Rqt_Is_TRUE a' a' (tp'+u')"), 

INDOCT_TAC 
THENL [ 

% Subgoal It (Baae Case) % 

RBWR I TB_T AC [STABLE_FALSE; STABLE_TRUE) PStateAbs ; ADD_CLAUSES] — 

THEN B1TA_TAC 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITE_TAC [ ] 

THEN IMP_RBS_TAC NTH_ALB_SIG_PB_TRUB 
THEN IHP_RES_TAC RST_PALSE 

THEN SPEC_ASSUM_TAC ("lu' ttimeC. SND (RstB (a ' u')) = F", "tp ' t timeC") 

THEN RKS_TAC 

THEN IMP_RES_TAC PREC 

THEN IMP_RES_TAC (SPEC "PT_£am_atataS ( s (tttimeT))" NOT_PD) 

THEN ASM_RBWRITE_ASSUM_TAC 

("P_fam_stataS(a‘ (tp' ttimeC)) = PT_£am_BtateS(a (tttimeT))",!]) 
THEN ASMLRBWRITE_ASSUM_TAC 

("P_rqtS(s' (tp'itimeC)) = PT_rqtS(a (tttimeT))",!]) 

THEN IMP_RBS_TAC PA_IMP_NOT_PD 
THEN IMP_RBS_TAC PH_IMP_NOT_PD 
THEN IMP_RES_TAC P_RQT_PRBVBNTS_NBW_S TATB_PE 
THEN ASM_REWRITB_TAC [New_P_Rqt_Ia_TRUE] 

I 

% Subgoal 2t (Induction Step) % 

REWRITE_TAC [ADD1 j ADD_ASSOC ] 

THEN REPEAT STRIP_TAC 

THEN ASSUME_TAC (SPECL ["tp ' +U' " J "1"] LESS_EQ_ADD) 

THEN ASSUMB_TAC (SPECL ["tp ' t timeC"; "u' ttimeC") LBSS_BQ_ADD) 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 
THEN IMP_RBS_TAC SUB_STABLE_FALSE 
THEN RBS_TAC 
THEN REWRITE_ASSOM_TAC 

("STABLE_FALSE(ala_aig_ib p') (tp', (tp' +u') +1)", 
[ASSOC_ADD_ADDl] ) 

THEN RBWRITE_ASSOM_TAC 

("((tp' + u') + 1) <= ti'", [ASSOC_ADD_ADDl] ) 

THEN IMP_RES_TAC OPFSBT_NBN_STATE_PD_FALSE_FROM_TP '_TO_TI ' 

THEN REWRITB_ASSUM_TAC 

( "~New_Stata_Ia_PD a' e'(tp' + (u' + 1) ) ", [ADD_ASSOC] ) 

THEN IMP_RBS_TAC RST_FALSE 

THEN SPBC_ASSDM_TAC ('Mu'. SND(RatE(a' (u'ttimaC))) = F","(tp'+U')+1") 
THEN IMP_RES_TAC P_rqt_ISO 
THEN RES_TAC 

THEN SPBC_UNDISCH_MATCH_LHS_TAC ( "P_rqtS (a ' (t + 1) ) ", "tp' +u' ") 

THEN REMRITE_ASSOM_TAC 

( "Naw_P_Rqt_Is_TRUE a' e'(tp' + u')", 

[ New_P_Rqt _ I a _TROE ,• Naw_State_Ia_PD ] ) 

THEN ASM_RBWRITE_TAC [ ] 

THEN DISCH_TAC 

THEN ASM_RBWRITE_TAC [New P_Rqt_Ia_TRUE ; COND_TROE_TROE ; COND_TROB_CHOICES ] 

] 

) J» 

let NEW_P_RQT_TRUK_FROM_TP ' _TO_TI ' = TAC_PROOF 

( ( [], 

"! (t' ttimeC) (t itimeT) (pti tPTI) 

(a ttimeT->pt_atata) (a ttimeT->pt_anv) (p itimaT->pt_out) 

(s' t timeC->pc_state) (a' itimeC->pc_env) (p' ttimeC->pc_out) 

(tp' ttimeC) (ti' ttimeC) . 

PCSet_Correct a' a' p' ««> 

NTH_TIMB_TRUB t (ale_aig_pb a') 0 tp' ==> 

(tp' > 0) ==> 

PT_Exac pti sept ■«> 

PT_Prac pti a a p t ==> 

PStataAbs pti septa' e'p' tp' ==> 

Rst_Slava pti ate' ==> 
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XBA_PMaster pti a p t a' p' ==> 

STABLB_FALSE (ala_aig_ib p') (tp',ti'-l) ==> 

(tp' <= t') ==> 

(t' <= ti') ==> 

Naw_P_Rqt_l8_TRUE s' o' t'"), 

REPEAT STRIP_TAC 

THEN IMP_RSS_TAC (SPEC "t'-tp"' OPPSET_NEW_P_RQT_TRUB_FROM_TP '_TO_TI ' ) 
THEN SPECL_ASSUM_TAC 

( " ! t ' tp'". (tp' + (t' - tp'")) <= ti' ==> 

New_P_Rqt_Is_TRUB s' e'ftp' + (t' - tp'"))", 
t"t' !timaC"j"tp' itimaC"] ) 

THEN IMP_RBS_TAC 

(SPBCL ("t' itimaC">"tp' itimaC"] 

( PDRE_ONCE_RB WRITE _RULE [ADD_SYM] SUB_ADD) ) 

THEN ASM_REWRITE_AS SUM_TAC 

("(tp' + (t' - tp')) <= ti' ==> 

New_P_Rqt_I s_TRUE s' e'(tp' + (t' - tp'))", (1) 


let OFFSET_NBW_P_DBSTl_STABLB_FROM_TP'_TO_TI' = TAC_PROOF 

(((), 

"! (u' itimaC) (t ttimoT) (pti iPTI) 

(s itimaT->pt_stato) (a itimaT->pt_env) (p itimoT->pt_out) 

(s' : timaC->pc_stato) (a' itimaC->pc_onv) (p' i t imoC - >pe_out ) 

(tp' itimaC) (ti' itimaC) . 

PCSet_Corroct s' o' p' ==> 

NTH_TXME_TROE t (ala_aig_pb a') 0 tp' ==> 

(tp' >0) =«> 

PT_Exec pti sept ==> 

PT_PraC pti sept ==> 

PStatoAbs pti sopts'o'p'tp' ==> 

Rst_Slava pti a t a' ==> 

IBA_PMaster pti a p t a ' p ‘ ==> 

STABLE_FALSE (alo_siff_ib p') (tp',ti'~l) ==> 

((tp'+U'l <« ti') «■=> 

(P_dostiS (S' (tp'+U'+l) ) = 

ELEMENT (FST ( L_ad_inB (o' tp'))) 31)"), 

INDDCT_TAC 
THENL [ 

% Subgoal It (Baso casa) % 

RBWRITB_TAC [ADD_CLAOSES; PStatoAbs] 

THEN REPEAT STRIP_TAC 
THEN IMP_RBS_TAC PREC 
THEN RES_TAC 

THEN IMP_RBS_TAC P_dastl_ISO 
THEN ASM_RBWRXTB_TAC [ ] 

I 

% Subgoal 2i (Induction stap) % 

REWR I TB_TAC [ADD _ASSOC)ADDl] 

THEN REPEAT STRIP_TAC 

THEN ASSOME_TAC (SPBCL ["tp' itimaC"; "u' i timeC"] LESS_EQ_ADD) 

THEN ASSDMB_TAC (SPBCL [“tp' +U' "} "1"] LESS_EQ_ADD ) 

THEN IMP_RES_TAC SUB_STABLE_FALSE 
THEN IMP_RES_TAC LBSS_EQ_TRANS 
THEN RES_TAC 

THEN ASSOME_TAC (SPEC "tp'+u'" LESS_EQ_REFL) 

THEN IMP_RES_TAC NBW_P_RQT_TRDE_FROM_TP ' _T0_TX ' 

THEN REWRITE_ASSOM_TAC 

("P_dastlS(s' (tp' + (u' + 1))) = ELEMENT (FST (L_ad_inB (a ' tp')))31", 
[ADD_ASSOC] ) 

THEN XMP_R3S_TAC P_rqt_ISO 
THEN SPEC_UNDISCH_MATCH_LHS_TAC 

("P_rqtS (a ' (t + 1) ) ", "tp' +u' ") 

THEN REWRITB_ASSOM_TAC 

( "Naw_P_Rqt_Is_TROB s' o' (tp' + u')", 

[Naw_P_Rqt_Is_TROE ; Naw_State_Is_PD] ) 

THEN ASM_REWRITB_TAC[] 

THEN DISCH_TAC 

THEN IMP_RES_TAC P_dostl_ISO 

THEN ASM_REWRITE_TAC [ASS0C_ADD_ADD1] 

] 

)l! 
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TAC_PROOF 


let NBW_P_DEST1_STABLE_FROM_TP'_TO_TX' = 

((Cl, 

"1 (t' itimeC) (t t timeT) (pti iPTI) 

(s itimaT->pt_state) (e itimeT->pt_env) (p itimeT->pt_out) 

(s' itimeC~>pc_state) (a' ttimeC->pc_env) (p ' i t imeC - >pc_out ) 

(tp' itimeC) (ti' itimeC) . 

PCSet_Correct a' e' p' ==> 

NTH_TIME_TRUB t (ale_sig_pb a') 0 tp' ==> 

(tp' > 0) ==> 

PT_Sxec pti sept ==> 

PT_PreC pti sept ==> 

PStateAbs pti septs'e'p'tp' ==> 

Rst_Slave pti ate' ==> 

IBA_PMaster pti e p t e' p' ==> 

STABLR_FALSB (ale_sig_ib p') (tp',ti'-l) ==> 

(tp' <= t ' ) ==> 

(t' <= ti') ==> 

(P_destlS (s' (t'+l)) = 

ELEMENT ( F ST ( L_ad_ inE (e' tp'))) 3D"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPEC "t'-tp"' OFFSET_NBW_P_DBST1_STABLB_FROM_TP '_TO_TI ' ) 
THEN SPECL_ASSUM_TAC 

("It' tp'". (tp' + (t' - tp'")) <= ti' ==> 

(P_destlS(s' (tp' + (<t' - tp'") +1))) = 

ELEMENT (FST(L_ad_inE (o' tp' ) ) )31)", 
t"t' I timec">"tp' itimeC") ) 

THEN ASSUME_TAC (SPEC "tp':timeC" LESS_EQ_REFL) 

THEN IMP_RES_TAC 

(SYMJRULE (SPBCL ("tp ' i timeC" ; "tp ' i timeC" ; "t ' i timeC") ASS0C_SUB_ADD1) ) 
THEN ASM_REVJRITE_ASSUM_TAC 

<"(tp' + (t' - tp')) <= ti' ==> 

(P_destlS(s> (tp' + ( (t ' - tp') +1))) = 

ELEMENT (FST(L_ad_inB(e' tp' ) ) )31) ", 

[ADD_CLAUSES ; SCB_EQUAL_0 ) ) 

THEN ASSUMB_TAC 

( SYM_RULE ( SPECL [ "t ' -tp ' " ; "tp ' i timeC" ; "1") ASSOC_ADE_ADD3 ) ) 

THEN IMP_RES_TAC (SPECL ["t ' itimeC"; "tp' t timeC") SOB_ADD) 

THEN ASM_REWRITE_ASSUM_TAC 

("P_destlS (s ' (tp' + ((t' - tp') +1))) = 

ELEMENT (FST(L_ad_inE(e' tp' ) ) )31", [] ) 

) ) ) 

let OFFSET_NEW_P_ADDR_STABLE_FROM_TP'_TO_TI' = TAC_PROOF 

(([], 

" ! (u' itimeC) (t itimaT) (pti (PTI) 

(s i timeT- >pt_state) (e itimeT->pt_env) (p ttimeT->pt_out) 

(s' ttimaC->pc_state) (e' itimeC->pc_env) (p' i timeC ->pe_out) 

(tp' itimeC) (ti' itimeC) . 

PCSet_Correct s' a' p' ==> 

NTH_TIME_TROE t (ale_sig_pb a') 0 tp' -=> 

(tp' > 0) --> 

PT_Bxeo pti sept ==> 

PT_PreC pti sept --> 

PStateAbs pti s ept s' a' p' tp' ,:> 

Rst_Slave pti e t e' ==> 

IBA_PMaster pti e p t e ' p ' =*> 

STABLE_FALSE (ale_sig_ib p') (tp',ti'-l) =>> 

( (tp'+u' ) ti' ) «»> 

(P_addrs (s' (tp'+u'+l)) » 

SDB ARRAY (FST(L_ad_inE(e' tp'))) (25,0))"), 

INDOCT_TAC 
THENL [ 

% Subgoal li (Base case) % 

RBWRITB_TAC [ADD_CLAOSES; PStateAbs] 

THEN REPEAT STRIP_TAC 
THEN IMP_RES_TAC PREC 
THEN RBS_TAC 

THEN XMP_RES_TAC P_addr_ISO 
THEN ASM_REWRITE_TAC U 
I 

% Subgoal 2i (Induction step) % 
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RBWRITB_TAC t ADD_ASSOC ; ADD1 ] 

THEN REPEAT STRIP_TAC 

THEN ASSUMB_TAC (SPBCL ["tp' 1 timeC"; "U' t timeC") LBSS_BQ_ADD) 

THEN ASSUME_TAC (SPECL ["tp' +U' "/ "1") LESS_EQ_ADD) 

THEN IMP_RES_TAC SUB_STABLE_FALSE 
THEN IMP_RES_TAC LBSS_EQ_TRANS 
THEN RBS_TAC 

THEN ASSUME_TAC (SPEC "tp'+U'" LBSS_BQ_REFL) 

THEN IMP_RBS_TAC NBW_P_RQT_TRUB_FROM_TP ' _TO_TI ' 

THEN RBWRITB_ASSUM_TAC 

("P_addrS(s ' (tp' + (u' + 1) ) ) = 

SUBARRAY (FST (L_ad_inE <e ' tp'))) (25,0)", 

[ADD_ASSOC] ) 

THEN IMP_RES_TAC P_rqt_ISO 
THEN SPBC_UNDISCH_MATCH_LHS_TAC 

("P_rqtS(s' (t + 1))", "tp'+u"') 

THEN RBWRITE_ASSUM_TAC 

( "Naw_P_Rqt_IS_TRUB 8' e'(tp' + u')", 

[N«w_P_Rqt_l8_TRUE ; New_State_Is_PD ] ) 

THEN ASM_RBWRITE_TAC[] 

THEN DISCH_TAC 

THEN IMP_RBS_TAC P_addr_ISO 

THEN ASM_RBWRITB_TAC [ASS0C_ADD_ADD1] 

] 

);> 

let NEW_P_ADDR_STABLE_FROM_TP ' _TO_TI ' = TAC_PROOF 

(([]. 

"! (t' itimeC) (t itlmeT) (pti tFTI) 

(s itimeT->pt_state) (e itimeT->pt_env) (p ttimeT->pt_out) 

(s' !timeC->pc_8tate) (e' <tlineC->pc_env) (p' itimeC->pc_out) 

(tp' ItimeC) (ti' ttlmaC) . 

PCSet_Correot 8' e' p' «=> 

NTH_TXME_TRUE t (ale_aiff_pb e') 0 tp' *>»> 

(tp' >• 0) «■> 

PT_Bxec pti 8 e p t »■> 

PT_PreC pti sept ==> 

PStateAbs pti septa' e'p' tp' so 
Rst_Slave pti e t e' ==> 

IBA_PMaster pti a p t e' p' ==> 

STABLE FALSE (ale_eiff_ib p') (tp',ti'-l) ==> 

(tp' <«= t') ==> 

(t' <= ti') *o 

(P_addrS (s' (t'+l)) = 

SUBARRAY (FST(L_ad_inB(e' tp'))) (25,0))"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPEC »t'-tp'" OFFSBT_NEW_P_ADDR_STABLB_FROM_TP ' _TO_TI ' ) 

THEN SPBCL_ASSUM_TAC 

("It' tp"'. (tp' + (t' - tp'")) <= ti' ==> 

(P_addrs ( a ' (tp' + ( ( t ' - tp'") +1))) = 

SUBARRAY ( FST ( L_ad_inE ( e ' tp') ) ) (25,0) )", 

["t' i timeC" ;"tp' itimeC") ) 

THEN ASSUME_TAC (SPEC "tp' itimeC" LBSS_EQ_REFL) 

THEN IMP_RBS_TAC 

( S YM_RULE (SPECL ["tp' I timeC") "tp' I timeC"; "t ' I timeC"] ASS0C_SUB_ADD1 ) ) 
THEN ASM_REWRITK_ASSUM_TAC 

("(tp' + (t' - tp')) <« ti' — > 

(P_addrS(s' (tp' + { ( t ' - tp') +1))) = 

SUBARRAY (FST <L_ad_inE(e' tp'))) (25,0))", 

[ADD_CLAUSBS ; SUB_EQUAL_0 ) ) 

THEN ASSUMB.TAC 

(SYM_RULE (SPECL ["t ' -tp' "; "tp' itimeC") "1") ASS0C_ADD_ADD3 ) ) 

THEN IMP_RES_TAC (SPBCL ["t ' itimeC"; "tp' i timeC") SUB_ADD) 

THEN ASM_REWRITE_ASSUM_TAC 

( "P_addrS(s ' (tp' + ( ( t ' - tp') +1))) = 

SUBARRAY (FST (L_acLinE(e' tp') ) ) (25,0)", [] ) 

)ll 

let EVBNTUALLY_PA_ON_OR_AFTER_PH = mk_thm 

([), "I (t' itimeC) (s' itimeC->pc_state) (e' itimeC->pc_env) 

(p' itimeC->pc_out) . 

PCSet_Correct a' e' p' ==> 
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PT_Bxec pti s a p t ==> 

IBA_PMaster pti a p t a' p' 

Rat_Slave pti ate' ==> 

(t' > 0) =»> 

New_State_l8_PH B' a' t' ==> 

(7u' itimeC . 

STABLB_FALSE_THBN_TRUE (\v'. New_State_Is_PA B' a' v') (t',u'))")>; 

% 

let BVENTUALLY_PA_ON_OR_AFTER_PH = TAC_PROOF 

(([]. 

" I (t' itimeC) (s' itimaC->pc_state) (a' stimeC->pc_env) (p' itimeC->pc_out) 
(t itimeT) (a itimeT->pt_stata) (a i timeT->pt_env) (p itimeT->pt_out) 

(pti t PTI) . 

PCSet_Correct s' a' p' ==> 

PT_Exec pti s a p t ==> 

IBA_PMaster pti a p t a' p' =«> 

Rst_Slave pti ate' ==> 

(t' > 0) =*> 

Naw_State_Xa_PH s' a' t' ==> 

(?u' itimeC. 

STABLB_FALSB_THBN_TRXJB (\v'. New_State_lB_PA 8' a' v' ) (t ',U'))"), 
RBPBAT STRIP_TAC 

THEN IMP_RES_TAC IBA_RKADY_ASStJMPS 
THEN SPBC_ASSOM_TAC 

("lu' . 7v'. STABLE_FALSE_THBN_TRtJB(bsig X_hold_E e')(u',v')", 

"t'-l") 

THEN CHOOSK_ASSDM_TAC 

" 7 V ' . STABLE_FALSE_THEN_TRUE (baig I_hold_E e')(t'-l,V')" 

THEN BXISTS_TAC "V' ItimeC" 

THEN RKWRITB_TAC [STABLE_FALSE_THEN_TROB] 

THEN BBTA_TAC 

THEN NRULB_ASSUM_TAC 

("STABLB_FALSB_THBN_TRUE(baig I_hold_E a ' ) (t ' -1, V' ) ", 

(BBTA_RULE o ( REWRITB_RULE ( STABLB_FALSB_THBN_TRUB ; bs ig ; BSel ] ) ) ) 
THEN POP_ASSUM_LIST (MAP_EVERY <\thm. STRIP_ASSUMB_TAC thm) ) 

THEN ASM_REWRITB_TAC t ] 


THEN SUBQOAL_THBN 

"lu'. New_State_Is_PH 8' a' u' ==> 
-SND ( I_hold_B (a' u')) ==> 
(1 <» u' ) «■«■> 


THENL [ 


Naw_Stata_Ia_PH s' a' (u'+l) " ASSUMB_TAC 


Subgoal li (New Subgoal) 

REPEAT STRIP_TAC 

THEN ASSOMB_TAC (OEN_ALL P_£sm_hold_ISO) 

THEN SPBCL_ASSUM_TAC 

("Is a p t. PCSat_Corract sap ==> 

(P_f8m_biold_S(8(t + 1)) = SND ( I_hold_B ( a t)))'', 
["8' itimaC->pe_8tata"» "a' itimac->pc_env"; "p' itimeC->pc_out"; 
"u' itimeC"] ) 


THEN RES_TAC 

THEN ASSUMB_TAC (SPECL t"U' itimeC"; "1"J LESS_BQ_ADD) 

THEN XMP_RES_TAC LBSS_EQ_TRANS 
THEN IMP_RBS_TAC P_FSM_RST_FALSB 
THEN IMP_RES_TAC P_£sm_8tata_IS0 

THEN SUBOOAL_THEN "P_£am_stateS (s' (u'+l)) » PH" ASSDME_TAC 
THENL ( 


Subgoal l.lt (New subgoal) 

RBWRITB_ASSUM_TAC ( "New_State_Is_PH s' a' u'", [New_State_Is_PH] ) 
THEN ASM_REWRXTE_TAC t) 


THEN SUBOOAL_THBN "-P_£sm_hold_S (8' (u'+l))" ASSUMB_TAC 
THENL ( 

Subgoal l.lt (New subgoal) 


103 



THEN ASM_RBWRITE_TAC [ ] 


% 

lot BVENTOALLY_PA_APTBR_PH = TAC_PROOP 

<<[], 

"! (t' itlmoC) (s' itim«C->pc_stato) (o' itimoC->pc_onv) (p' ttimoC->pc_out) 
(t itimaT) (a itimoT->pt_state) (o itimoT->pt_onv) (p itimaT->pt_out) 

(pti tPTI) . 

PCSot_Correct s' o' p' ==> 

PT_Exoc pti sept ==> 

IBA_PMaster pti o p t o' p' =«> 

Rst_Slavo pti o t e' ==> 

(t' > 0) «»> 

Now_State_Is_PH s' o' t' =«> 

(?u' i timoC. 

(t' < u' ) /\ 

STABLE_PALSB_THBN_TRUE (\v'. New_State_IS_PA S' o' V') (t',U'))"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC BVBNTUAI,LY_PA_ON_OR_AFTBR_FH 
THEN EXISTS_TAC "\l' l timoC" 

THEN ASM_RBWRITE_TAC[] 

THEN NRULB_ASSUM_TAC 

( "STABLE__FALSE_THEN_TRUE ( \v' . New_Stato_Is_PA s' o' v')(t',u')", 
(BETA_RULB O (RBWRITE_RULE ISTABLE_FALSB_THBN_TRDB] ) ) ) 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN IMP_RZS_TAC LESS_OR_BQ 

THEN ONDISCH_TAC "Now_Stato_Is_PH s' o' t'" 

THEN ASM_RBWRXTE_TACtNow_Stato_IS_PH] 

THEN REWRITE_ASSOM_TAC ("Now_Stato_IS_PA s' o' u'", [Now_Stato_Xs_PA] ) 

THEN DISCH_TAC 

THEN IMP_RBS_TAC PH_XMP_NOT_PA 

);; 

lot NOT_PTSTATR_IMP_NOT_PCSTATB = TAC_PROOP 

(([], 

"1 (x :p£sra_ty) (s :timoT->pt_stato) (t :timeT) (s' : timoC->po_stato) 

(t' : timoC ) . 

~ (PT_f sm_statoS ( s t) = x) ==> 

(P_fsm_stataS(s' t') = PT_fsm_statoS(s t > ) ==> 

~(P_£sm_stataS(s' t') = x)"), 

INDHCT_THEN (provo_induction_thm p£sm_ty_Axiom) ASSUME_TAC 
THEN REPEAT STRIP_TAC 
THBNL [ 

IMP_RBS_TAC NOT_PH 

THEN ASM_RBWRITB_ASSOM_TAC 

("P_£sm_»tataS(s' (t'ltimoC)) = PH", 

(SYM_R0LE (provo_construetors_distinct p£sm_ty_Axiom) ] ) 
i 

IMP_RBS_TAC NOT_PA 

THEN ASM_RBWRITB_ASSOM_TAC 

( "P_£sm_statoS (s ' (t'ltimoC)) = PA", 

[SYM_ROLE (provo_constructors_distinct pf sm_ty_Axiom) ; 
provo_constructors_distinct pf sm_ty_Axiom] ) 

; 

IMP_RES_TAC NOT_PD 

THEN ASM_RBWRITB_ASSUM_TAC 

( "P_f sm_statoS (s ' (t'ltimoC)) » PD", 

[SYM_ROLE (provo_constructors_distinct pf sm_ty_Axiom) ; 
provo_constructors_distinct pf sm_ty_Axiom] ) 

] 

);; 

lot PREC_TAC = 

IMP_RES_TAC PREC 
THEN REWRITB_ASSUM_TAC 

("PStatoAbs pti s o p t s' o' p' tp' ", [PStatoAbs] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN RBS_TAC 

THEN ASM_REWRITB_ASSUM_TAC 

("P_rqt3(s' (tp'itimoc)) = PT_rqtS(s (titimoT) ) ", [] ) 

THEN XMP_RES_TAC NOT_PTSTATB_XMP_NOT_PCSTATE; ; 


104 



let P_DEST1_TR0E_IMP_P_FSM_MRQT_FALSB = TAC_PROOF 

<([], 

"! (t' itimeC) («' :timeC->pc_state) (e' ttimeC->pc_env) (p' itimeC->po_out) . 
PCSet_Correct s' e' p' ==> 

(t' >0) »=> 

P_destlS (s' t') ==> 

-P_fsnunrqtS (s' t')"), 

REPEAT QBN_TAC 
THEN DISCH_TAC 
THEN DISCH_TAC 

THEN IMP_RES_TAC (RIMP ONE_LESS_EQ ) 

THEN IMP_RES_TAC (SPECL [ "t ' t timeC"; "1"] (SYM_RULE SUB_ADD) ) 

THEN PORB_ONCK_ASMJRBWRITE_TACn 

THEN POP_ASSUM (\thm. ALL_TAC ) * KEEP THIS % 

THEN DISCH_TAC 

THEN IMP_RBS_TAC (SYM_RULB P_destl_ISO) 

THEN IMP_RES_TAC P_f sm_mrqt_ISO 
THEN ASM_REWRITE_TAC [ ] 

);» 

let ALE_SIG_IB_FALSE_AWAITINO_CQNT = TAC_PROOF 

(([], 

"1 (t itimeT) (pti :PTI) 

(s :timeT->pt_state) (e ttimeT->pt_env) (p : timeT->pt_out ) 

(s' itimeC->pc_state) (e' ! timeC ->pc_env) (p' i timeC ->pc_out) 

(tp' ti' : timeC) . 

PCSet_Correct s' e' p' *»> 

NTH_TIME_TRUB t(ale_sig_pb e')0 tp' ==> 
tp' > 0 «*> 

PT_Exec pti sept *«> 

PT_PreC pti a e p t ==> 

PStateAbs pti s ept s' e' p ' tp' «s> 

IBA_PHaster pti ept e' p' *=> 

Rst_Slave pti e t e' ==> 

STABLE_TROE_THEN_FAI.SE (bsig I_cgnt_E e') (tp',ti') ==> 

ELEMENT ( FST ( L_ad_inE (s' tp'))) 31 ==> 

(tp' < ti') 

STABLE_FALSE (ale_sig_ib p ' ) (tp',ti'-l)") , 

REPEAT STRIP_TAC 

THEN IMP_RE S_TAC (RBWRITB_ROLB [PRB_S0B1] LT_IMP_LE_PRE) 

THEN ASM_REWRITB_TAC [STABLB_FALSE] 

THEN REPEAT STRIP.TAC 
THEN AS SUME_TAC 

(BETA_RULB 

(SPECL ("ale_sig_ib p' "t' t timeC"; "tp' i timeC") "ti' -1"] 
FIRST_BXISTS1) ) 

THEN RBS_TAC 

THEN DELETE_ASSUM_TAC 

"ale_sig_ib p' t' /\ tp' <» t' /\ t' <= (ti' - 1) =■> 

(?u. tp' <» u /\ u <= (ti' - 1) /\ 

STABLE_FALSE_THEN_TRUE ( ale_s ig_ib p ' ) ( tp ' , u ) ) " 

THEN SUBGOAL_THBN "tp' < U" ASSOME_TAC 
THBNL [ 

% Subgoal It (New Subgoal) % 

REWRITE_ASSUM_TAC ("tp' <= U", [LESS_0R_EQ] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\tbm. STRIP_ASSUME_TAC thm) ) 

THEN ASM_REWRITE_TAC [ ] 

THEN PREC_TAC 

THEN ASM_REWRITE^ASSOM_TAC ( "ELEMENT ( FST ( L_ad_inE ( e ' (tp' ttimeC) ) ) )31", [] ) 
THEN NRULB_ASSUM_TAC 

( "STABLE_TRUE_THEN_FALSE (bs ig I_ognt_E e ' ) ( tp ' , ti ' ) " , 

(BETA_ROLE o ( REWRITE_RULE [STABLE_TROB_THEN_FALSE;bsigjBSel] ) ) ) 
THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN ASSUME_TAC (SPEC "tp ' t timeC" LESS_EQ_REFL) 

THEN SPEC _ASS0M_TAC 

("It. tp' <» t /\ t < ti' «•> SND ( I_cgnt_E ( e ' t) )", "tp' ttimeC") 

THEN RBS_TAC 

THEN ASM_RBWRI TE_AS S0M_TAC ( "SND ( I_cgnt_E ( e ' ( tp ' : timeC )))'',[]) 

THEN NR0LB_ASS0H_TAC 

( "STABLB_FALSB_THEN_TROE ( ale_s ig_ib p ' ) ( tp ' , u ) " , 

(BETA_RULE o (REWRITB_ROLE [STABLE_FALSE_THEN_TROE] ) ) ) 
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THEM POP_ASSOM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN UNEIISCH_TAC "ale_aig_ib p' U" 

THEN REWRITE_TAC [ale_aig_ib)BSel] 

THEN BETA_TAC 

THEN IMP_RES_TAC I_male_ISO 
THEN IMP_RBS_TAC I_rale_ISO 
THEN IMP_RES_TAC I_cale_ISO 
THEN ASM_RBWRITB_TAC [WIRE ] 

THEN COND_CASBS_TAC 

THEN ASM_RBWRI TE_TAC (prove_conatructor8_diat inct wire; 

SYM_RULE (prove_eon8tructor8_diatinct Wire) ] 


l 


3 

);; 


% Subgoal 2i (Continue) - [ "tp' < u" ] - % 

IMP_RBS_TAC (REWRITE_RULE [PRE_SUB1] LT_IMP_LE_PRE ) 

THEN IMP_RBS_TAC STABLE_FALSE_THEN 

THEN ASSUMB_TAC (SPEC "UttimeC" LESS_EQ_REFL) 

THEN IMP_RB S_TAC NBW_P_DEST1_STABLE_FR0M_TP ' _TO_TI ' 

THEN NRULB_ASSUM_TAC 

( "STABLE_TRUE_THEN_FALSE (bslg I_ognt_E e ' ) (tp' , ti ' ) " , 

(BBTA_RULE o (REWRITBJRULE [STABLE_TRUE_THEN_FALSE;bsig;BSel] ) ) ) 
THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN SPEC_ASS(JM_TAC 

("It. tp' <« t /\ t < ti' ==> SND { I_cgnt_E ( e ' t) ) ", "u:timeC") 
THEN IMP_RBS_TAC (RIMP ONE_LESS_EQ ) 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 

THEN IMP_RBS_TAC ( RBWRITB_RULE (PRE_SUB13 LE_PRE_IMP_LT ) 

THEN RES_TAC 

THEN RBWRITE_ASSUM_TAC 

( "STABLB_FALSB_THEN_TRtJB (ale_aig_ib p') (tp',u)", 
[STABLK_FALSB_THBN_TRDB) ) 

THEN POP_ASSUM_LIST (MAP_BVBRY (\thm. STRIP_ASSOME_TAC thm)) 

THEN UNDISCH_TAC "ale_«lg_ib p' U" 

THEN UNDISCH_TAC "P_de»tlS (a ' (u + 1))" 

THEN IMP_RBS_TAC P_d«atl_ISO 
THEN ASM_RBWRITE_TAC [ ] 

THEN DISCH_TAC 

THEN REWRITB_TAC [ale_aig_lb;BSel] 

THEN BETA_TAC 

THEN IMP_RBS_TAC I_male_ISO 
THEN IMP_RES_TAC I_rale_ISO 
THEN IMP_RBS_TAC X_oale_XSO 
THEN ASM_RBWRITB_TAC [WIRE] 

THEN COND_CASBS_TAC 

THEN ASM_REWRITE_TAC [prove_conatructora_diatinct wire; 

SYM_ROLB (prove_conatructora_distinct wire) ] 


let ALB_SIQ_IB_TRtJB_AFTER_TP ‘ = TAC_PROOF 

(([], 

"I (t itimeT) (pti tPTI) 

(a :timeT->pt_atate) (e i timeT->pt_env) (p !timeT->pt_out) 

(a' itlmeC->pc_atate) (e* stimeC->pc_env) (p' itimeC->pc_out) 
(tp' stimeC) . 

PCSet_Correct a' e' p' ==> 

NTH_TIME_TROK t (ale_sig_pb e') 0 tp' ==> 

(tp' > 0) asa> 

PT_Exec pti a e p t ==> 

PT_PreC pti a e p t ==> 

PStateAba pti a apt a' a' p' tp' ==> 

XBA_PHaater pti e p t e' p' ==> 

Rat_Slave pti ate' ==> 

-(-ELEMENT ( FST ( L_ad_inB (a' tp'))) 31 /\ 
Naw_State_Ia_PA a' a' tp') ==> 

(Vti'itimec. STABLE_FALSB_THEN_TRUB 

(ale_aig_ib p') (tp' ,ti' ) )") , 

REWRITB_TAC [DB_MOROAN_THM] 

THEN PORE_ONCE_REWRITE_TAC [DISJOINT_OR] 

THEN REPEAT STRIP_TAC 
THEN IMP_RES_TAC IBA_READY_ASS(JMPS 
THEN IMP_RBS_TAC PREC 
THEN RES_TAC 
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THENL [ 

% Subgoal li [ "ELEMENT (FST (L_ad_inE (e ' tp')))31" 1 % 

SUBGOAL_THEN 

"CHANGES_FALSE (bsig I_crqt_0 p') tp'" 

ASSUME_TAC 
THENL [ 

Si Subgoal l.li "CHANGES_FALSE (bsig l_crqt_0 p')tp'" % 

REWRITE_TAC [CHANGES_FALSB;bsigjBSel] 

THEN BBTA_TAC 
THEN CONJ_TAC 
THENL [ 

St Subgoal 1.1. Is "(tp' = 0) \/ SND ( l_crqt_0 (p' (tp' - 1)))'' Ss 

DISJ2_TAC 

THEN PRBC_TAC 

THEN REWRITE_ASSUM_TAC 

("tp' > 0", [SYM_RULE ONE_LBSS_BQ] ) 

THEN IMP_RBS_TAC (SPBCL ("tp' :timeC"; "1"] SUB_ADD) 

THEN IMP_RBS_TAC (SYM_RULE P_rqt_XSO) 

THEN SPBC_ONDISCH_MATCH_RHS_TAC 

("P_rqtS(s< (t + l))","tp'-l") 

THEN ASM_REWRITE_TAC H 
THEN DXSCH_TAC 
THEN IMP_RES_TAC I_crqt_ISO 
THEN ASM_REWRITE_TAC [] 

I 

% Subgoal 1.1. 2i "-SND(I_crqt_o(p' tp'))" % 

PRBC_TAC 

THEN IMP_RES_TAC RST_FALSE 

THEN SPBC_ASSUM_TAC ( " !u' 1 timeC . SND(RstE(o' u')) = F", "tp' t timeC") 
THEN IMP_RES_TAC P_RQT_PRBVENTS_NEW_STATE_PD 
THEN IMP_RBS_TAC NTH_ALE_SIG_PB_TRUB 
THEN REWRITE J&SSDM_TAC 

("~Naw_Stata_Is_PD s' e' tp'", (Naw_State_Is_PD] ) 

THEN IMP_RES_TAC I_crqt_ISO 
THEN ASM_REWRXTB_TAC [] 


Si subgoal 1.2« [ "CHANGes_false ( bs Ig l_orqt_o p')tp'" ] Si 

RHS_TAC 

THEN XMP_RES_TAC ALE_SIG_IB_FALSE_AWAITING_CGNT 
THEN NRULB_AS SUM_TAC 

( "STABLE_TRDE_THEN_FALSB (bsig X_cgnt_E e') (tp',V')", 
(BETA_ROLE o 

(RBWRITE_RULE [ STABLE_TRTJB_THBN_F ALSH > bs ig ; BSa 1 ] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP ^ASSUME_TAC thm) ) 

THEN SUBGOAL_THBN 

"~SND ( I_cgnt_E (• ' v' ) ) ==> 

( SND ( I_hold_B ( • ' v')) /\ New_State_Is_PA s' a' V')" 
IMP_RES_TAC 

THENL [ 

% Subgoal 1.2.1i 

"~SND(I_ognt_B (•' v')) ==> 

SND ( I_hold_B ( a ' V')) /\ Nsw_State_Is_PA s' a' V'" Si 
SPEC_ASSUM_TAC 

( " ! p ' . STABLB_FALSE (ala_sig_ib p')(tp',v' - 1)", 

"p' ttimac->-pc_out") 

THEN ASSUME_TAC (SPEC "V'JtimaC" LESS_BQ_REFL) 

THEN IMP _RKS_T AC SOB_LESS_OR 

THEN ASSDME_TAC (SPBCL ("V' ItimoC"; "1"] SDB_LESS_EQ) 

THEN IMP_RBS_TAC NBW_P_DBSTl_STABLE_FROM_TP '_TO_TI ' 

THEN IMP_RES_TAC NEW_STATE_PD_FALSE_FROM_TP ' _TO_TI ' 

THEN IMP_RES_TAC NEW_P_RQT_TRUB_FROM_TP ' _TO_TI ' 

THEN DISCH_TAC 
THEN POP_ASSUM_LIST 

(MAPJBVBRY ( \thm. ASSOMB_TAC (RBWRITE_RULB [BSal] thm))) 
THEN RES_TAC 

THEN ASM_RBWRITE_TAC (New_State_Is_PA) 

THEN COND_CASES_TAC 
THEN ASM_RBWRITB_TAC [ ] 

THEN REWRITE_ASSDM_TAC ("tp' > 0", [SYM_RULB ONE_LESS_EQ) ) 

THEN IMP_RES_TAC LBSS_EQ_TRANS 

THEN IMP_RES_TAC (SPECL ("v' itimaC"; "1"] SUB_ADD ) 
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THEM IMP_RBS_TAC P_f 8m_hold_ISO 

THEN ASM_RBWRITB_ASSUM_TAC { "P_f am_hold_S ( 8 ' ( (V' - 1> + 1) )",[]) 
THEM ASM_RBWRITB_TAC [] 

THEN IMP_RBS_TAC 

(SPECL ["s' : timeC->pc_8tata") "a' itimeC->pc_env"; "v' -1"] 
NBXT_STATE_NOT_PD ) 

THENL [ 

% Subgoal 1.2.1.1i [ "Naw_Stata_Ia_PA a' a' (v' - 1)" ] % 

UNDISCH_TAC "New_State_Is_PA o' a'(v' - 1)" 

THEM IMP_RB S_TAC P_f am_etate_ISO 
THEM SPEC_UNDXSCH_MATCH_LHS_TAC 

("P_f an\_atateS (a ' (t + l))","v'-l") 

THEN ASM_REWRITE_TAC INaw_Stata_Ia_PA] 

THEN DISCH_TAC 
THEN DISCH_TAC 
THEN ASM_RBWRITE_TAC 

[SYM_RULE (prove_conBtructora_diatinct p£anv_ty_Axlom) ] 
THEN POP_ASSOM ( \thm. ALL_TAC ) 

THEN POP_ASSOM (\thm. ALL_TAC ) 

THEN SPEC_ASSOM_TAC 

("It. tp' <= t /\ t < v' ==> SND ( I_egnt_B ( a ' t))","v’-l") 
THEN IMP_RBS_TAC ( REWRITE_RULE [PRB_SUB1] LE_XMP_PRE_LT ) 

THEN RBS_TAC 

THEN IMP_RBS_TAC P_£ am_cgut _ISO 

THEN UNDISCH_TAC "P_f am_cgnt_S (a ' ( (v' - 1) + 1))" 

THEN FILTBR_ASM_REWRITE_TAC 

(\tm. not (tm = *(v' - 1) + 1 = v'")) [] 

THEN ASM_REWRITE_TAC [] 

THEN DISCH_TAC 

THEN ASM_RBWRITE_TAC [ ] 

THEN ASM_RBWRITE_ASSDM_TAC 

("P_daatlS(a' ( (v' - 1) + 1) )",[]) 

THEN XMP_RES_TAC (LIMP ONE_LESS_EQ) 

THEN IMP_RES_TAC P_DBST1_TR0E_IMP_P_FSM_MRQT_FALSE 
THEN ASM_REWRITE_TACt] 

> 

% Subgoal 1.2.1.2i [ "Naw_State_Ia_PH a' o'(v' - 1)" ) % 

UNDISCH_TAC "Naw_Stata_Ia_PH a' e' (v' - 1)" 

THEN IMP_RES_TAC P_f am_fl tata_ISO 
THEN SPEC_DNDISCH_MATCH_LHS_TAC 

("P_£am_atataS(a' (t + 1) ) ", "v' -1") 

THEN ASM_RRWRITB_TAC (Naw_State_Xe_PH] 

THEN DISCH_TAC 
THEN DISCH_TAC 
THEN ASM_RBWRITB_TAC 

[sym_role (prova_conetruetora_di8tinct pf am_ty_Axiom) ] 


% Subgoal 1.2.2i [ "SND ( I_hold_E ( a ' v' ) ) " ] 

[ "Naw_Stata_Ia_PA a' a' v'" ] % 

EXISTS_TAC "v ' « t imaC " 

THEN REWRITE_TAC [STABIiE_FALSE_THEN_TRDE;ala_sig_ib;BSel] 

THEN BBTA_TAC 
THEN ASM_REWRITE_TAC(J 
THEN CONJ_TAC 
THENL [ 

% Subgoal 1.2. 2. It "It. tp' <= t /\ t < v' ==> 

- ( SND ( l_hlda_0 (p ' t)) /\ 

( (SND(I_mala_0(p' t) ) = LO) \/ 
(SND(I_rala_0(p' t) ) - LO) \/ 
-SND(I_oale_0(p' t))))" % 

NRDLE_ASSDM_TAC 

("!p'. STABLE_FALSE (ala_aig_ib p')(tp',v' - 1)", 

((SPEC "p' 1 1 imaC - >pc_out " ) o BETA_RULE o 
(RBWRITB_RULE [ STABLE_FALSB ; ala_a ig_lb ; BSel ] ) ) ) 

NRULE_ASSUM_TAC 

("STABLE_FALSE(ala_aig_ib p')(tp',v' - 1)", 

(BETA_RULB O ( REWRITE_RDLE [STABLE_FALSBjale_sig_ib>BSel] ) ) ) 
THEN POP_ASSDM_LIST (MAP_EVBRY ( \thm. STRIP_ASSUME_TAC tbm) ) 
THEN QBN_TAC 
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THEN IMP_RBS_TAC (RIMP ONE_LESS_EQ) 

THEN IMP_RBS_TAC LESS_BQ_TRANS 
THEN ASSOMB_TAC 

(RBWRITE_RULE [PRE_SUB1] 

(SPECL ["t' itimeC";"V' itimeC"] LT_EQ_LE_PRE) ) 

THEN RES_TAC 

THEN ASM_RBWRITE_TAC [ ] 

I 

% Subgoal 1.2.2.2t " -SND(I_hlda_0(p' v')) /\ 

( (SND(I_mala_0(p' V')) = LO) \/ 

( SND ( l_rale_0 (p ' v')) = LO) \/~ 

-SND ( l_eale_0 (p ' V')))" % 

IMP_RES_TAC I_hlda_ISO 
THEN IMP_RBS_TAC I_oale_lSO 
THEN REWRITE_ASSOM_TAC 

("New_State_Is_PA o' a' V '" , [New_State_Is_PAl ) 

THEN ASM_REWRITB_TAC 

[SYM_RULE (prove_conotructors_distinct pf am_ty_Axiom) ] 

3 

3 

3 

% subgoal 2s I "-ELEMENT (FST(L_ad_inE (a' tp')))31" ] 

[ "~New_State_Ia_PA o' a' tp'" 3 % 

IMP_RES_TAC NEXT_STATE_NOT_PA 
THENL [ 

% Subgoal 2.1: [ "naw stata = PD" ] % 

RBWRITB_ASSUM_TAC 

("PStataAbs pti s a p t s' a' p' tp'", [PStateAbs] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN RBS.TAC 

THEN REWRITE_ASSUM_TAC ("Now_State_Io_PD s' a' tp'", [New_State_Is_PD] ) 
THEN ASM_EEWRITE_ASStJM_TAC 

("P_rqts(s' (tp'itlmaC)) = PT_rqtS(s (t stimeT) ) ", [] ) 

THEN IMP_RBS_TAC (SPEC "PT.fsnustateS (s (titimaT))" NOT_PD) 

THEN ASM_RBWR I TE_AS S DM_TAC 

("P_fsnu»tataS(s' (tp'itlmaC)) = PT_fsm_stateS(s (titimaT) )",[] ) 
THEN IMP_RES_TAC PA_1MP_N0T_PD 
THEN IMP_RBS_TAC PH_IMP_NOT_PD 
THEN IMP_RE S_TAC 

( REWRITE_RULE [Naw_State_IS_PD] P_RQT_PREVENTS_NEW_STATE_PD ) 

I 

% Subgoal 2.2i [ "naw state = PH" ] % 

IMP_RES_TAC EVENTUALLY_PA_APTER_PH 
THEN SUBOOAL_THBN 

"STABLE_FALSB_THEN_TRUE ( \v' . New_State_!s_PA S' a' V')(tp',u') 
==> ( tp ' <u ' ) 

==> STABLB_FALSE (ale_sig_ib p' ) (tp' , (u' -1) ) " 

IMP_RES_TAC 

THENL [ 

% Subgoal 2. 2. It (New subgoal) % 

REWRI TE_TAC [ STABLE_FALSE_THBN_TRDE ; STABLETR0E ; ale_s ig_lb ; BSel > 
STABLE_FALSB ] 

THEN BBTA.TAC 
THEN REPEAT STRIP_TAC 
THEN IMP_RES_TAC SOB_LESS_OR 
THEN S PBC_AS SDM_TAC 

("It. tp' <a t /\ t < u' ==> -New_State_Is_PA 8' o' t", 

"t' itimoC") 

THEN REWRXTE_ASSOM_TAC ("tp' > 0", [SYM_RULE ONB_LBSS_BQ) ) 

THEN IMP_RES_TAC LBSS_EQ_TRANS 

THEN IMP_RES_TAC (REWRITE_RULE [PRE_SUB1] LE_PRE_XMP_LT) 

THEN RBS_TAC 
THENL [ 

% Subgoal 2.2.1.1i [ "SND(I_mala_0(p' t')) = LO" ] % 

UNDISCH_TAC "SND ( l_malo_0 (p ' ( t ' i t imaC ) ) ) - LO" 

THEN IMP_RES_TAC I_mala_ISO 

> 

% Subgoal 2.2.1.2t [ "SND ( I_ralo_0 (p ' t ' ) ) = LO" ] % 

UNDISCH_TAC "SND(I_ralo_0(p' (t' itimoC))) = LO" 

THEN IMP_RBS_TAC I_ralo_ISO 

> 
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% Subgoal 2.2.1.31 t "-SND(I_eale_0(p' t'))" ] % 

UNDISCH_TAC "-SND ( l_cale_0 (p ' (t ' 1 timeC ))) " 

THEN IMP_RES_TAC I_cale_XSO 

] 

THEN RBWRITB_ASSUM_TAC 

( "~Naw_State_Ie_PA s' a' t ' tNew_State_Is_PA] ) 

THEN ASM_RBWRITE_TAC[WIRE] 

THEN COND_CASBS_TAC 
THEN ASM_RBWRITE_TAC 

[SYM_RULE (prove_eonatructora_diatinct wire) j 
prove_cona tructora_dia t inot wire} 

% Subgoal 2.2.2 % 

IMP_RBS_TAC NBW_P_DBST1_STABLE_FR0M_TP '_TO_TI ' 

THEN POP_ASSUM (\thm. ALL_TAC ) 

THEN POP_ASSOM (\thm. ALL_TAC) 

THEN XMP_RES_TAC NEW_P_RQT_TRUE_FROM_TP ' _TO_TI ' 

THEN SPBC_ASSOM_TAC 

("It', tp' <= t' ==> 
t ' <x U' ==> 

(P_deatlS(a' (t' + 1) ) = 

ELEMENT (PST (L_ad_inE (a' tp' ) ) ) 31) ", "u ' -1") 

THEN SPBC_ASSUM_TAC 

("It' . tp' <= t' ==> 
t' <» u' ==> 

New_P_Rqt_Ia_TRUE a' a' t'","u'-l") 

THEN ASSUMB_TAC (SPEC "U'ttimeC" LESS_EQ_REFL ) 

THEN ASSUME_TAC (SPEC "U'-l" LESS_EQ_REFL) 

THEN NRULE_ASSUM_TAC 

( "STABLE_FALSE (ale_sig_ib p') (tp',u' - 1)", 

(BBTA_RULE O ( RBWRITB_RULE [ STABLE _FALSE ] ) ) ) 

THEN POP_ASSDM_LIST (MAP_EVERY ( \thm. STRIP_ASSOME_TAC thm) ) 

THEN ASSOMB_TAC (SPECL t"U' itimaC"; "1"] SOB_LESS_EQ ) 

THEN REWRITE_ASSOM_TAC ("tp' > 0", [SYM_RULE ONE_LBSS_BQ] ) 

THEN IMP_RE S_TAC LBSS_EQ_TRANS 
THEN RES_TAC 

THEN XMP_RES_TAC (SPECL ("u' ! timeC"; "1") SUB_ADD) 

THEN ASM_RHWRXTE_ASSUM_TAC 

( "P_daatlS (a ' ( (u' - 1) +1)) = 

ELEMENT (FST(L_ad_inE( a' (tp' i timaC) ) ) ) 31" , [)) 

THEN NRCLB_ASSUM_TAC 

( "STABLE_FALSE_THBN_TRUE ( \v ' . New_Stata_Ia_PA s' a' v') 

( tp ' , u ' ) " , 

<BBTA_R0LB o ( REWRITE_RULB [STABLE_FALSE_THEN_TRUE] ) ) ) 
THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN EXISTS_TAC "u' itimaC" 

THEN RBWRITE_TAC [ STABLB_FALSE_THBN_TRUE ; ale_s ig_ib ; BSel ] 

THEN BETA_TAC 

THEN ASM_REWRITB_TAC t) 

THEN CONJ_TAC 
THBNL [ 

% Subgoal 2.2.2.1i "It. tp' <= t /\ t < u' ==> 

- ( SND ( X_hlda_0 ( p ' t) ) A 

( (SND(X_mala_0(p' t)) = LO) \/ 

( SND ( l_rale_0 ( p ' t)) > LO) \/ 

-SND ( l_cale_0 (p ' t))))" % 

GEN_TAC 

THEN ASSUME_TAC 

(REWRITB_ROLB [PRE_SUB1] 

(SPECL ["t' :timeC";"u' itimaC"] LT_EO_LE_PRE) ) 

THEN RRS_TAC 

THEN ASM_RBWRITE_TAC[] 

THEN NR0LE_ASSOM_TAC 

("It. tp' <a t A t <= (u' - 1) ==> -ale_aig_ib p' t", 
(BETA_ROLE o ( REWRITK_RULE [ale_aig_ib;BSel] ) ) ) 

THEN ASM_REWRITE_TAC [ ] 

> 

% Subgoal 2.2.2.21 "SND ( X_hlda_0 (p ' u')) /\ 

( (SND(I_male_0(p' u')) = LO) \/ 

( SND ( X_ra la_0 ( p ' u')) « LO) \/ 
-SND(I_cala_0(p' U')))" % 

CONJ_TAC 
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THENL [ 

% Subgoal 2. 2. 2. 2.1: "SND(I_hlda_0(p' u'))" % 

IMP_RBS_TAC I_hlda_ISO 
THEN RBHRITB_ASSUM_TAC 

("New_State_Is_PA s' e' u '" , [New_State_Is_PA] ) 

THEN ASM_REWRITB_TAC 

[SYM_ROLB (prove_constructors_distinct pf sm_ty_Axiom) ] 
l 

% Subgoal 2. 2. 2. 2. 2: " ( SND ( l_male_0 (p' u')) = LO) \/ 

( SND ( I_rale_o (p ' u')) = LO) \/ 
~SND(I_cala_0(p' u'))" % -- 

IMP_RBS_TAC RST_PALSB 
THEN SPBC_ASSUM_TAC 

("lu' itimeC. SND (RstE (e ' u')) = F", "u' :timeC") 

THEN IMP_RES_TAC P_rqt_ISO 

THEN SPEC_UNDISCH_MATCH_LHS_TAC ("P_rqtS (s ' (t + 1))","U'-1") 
THEN ASM_RBWRITB_TAC [ ] 

THEN DISCH_TAC 

THEN ASM_REWRITE_ASSUM_TAC 

( "New_P_Rqt_Is_TRUE s' a' (u'-l)", 

[Naw_P_Rqt_Is_TRUE ; New_State_Is_PD] ) 

THEN IMP_RES_TAC I_mal«_ISO 
THEN IMP_RES_TAC I_rale_ISO 
THEN REWRITE_ASSUM_TAC 

("Naw_Stata_Is_PA s' e' u' ", [Naw_State_Ia_PA] ) 

THEN ASM_REWRITB_TAC 

[SYM_RULE (prova_constructors_distinct pf sm_ty_Axiom) j 
prova_cons t rue tors_dist ino t pf sm_ty_Axiom) HIRE ; 
COND_TRDE_TRUE ; COND_TROE_CHOICES ] 

THEN ASM_CASES_TAC 

"SUBARRAY (P_addrS (s' (u' itimeC) )) (25,24) = WORDN 1 3" 
THEN ASM_REWRITE_TAC[] 


let TI ' _AFTBR_TP ' « TAC_PROOF 

(([], 

"! (t ttimaT) (pti : PTI) 

(s :timeT->pt_state) (a :timeT->pt_env) (p :timeT->pt_out) 

(s' : tlaeC->po_state) (a' : timaC->pc_anv) (p' :timeC->pc_out) 

(tp' ti' itimeC) . 

PCSet_Corract s' a' p' ==> 

NTH_TIME_TRUB t (ale_slg_pb a') 0 tp' ==> 

(tp' > 0) ==> 

PT_Bxec pti s a p t <» 

IBA_PMaster pti apt a' p' «»> 

Rst_Slave pti ate' ==> 

PT_PraC pti sept »=> 

PStataAbs pti sapts'e'p'tp' ==> 

STABLE_FALSE_THEN_TRUE (ale_slg_ib p') (tp',ti') ==> 

(ELEMENT (FST(L_ad_inE (a' tp'))) 31 \/ 

-New_State_Is_PA s' a' tp') ==> 

(tp' < ti')"), 

REWRITB_TAC [STABLE_FALSE_THEN_TRUE; LESS_OR_EQ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC[] 

THENL [ 

% Subgoal 1: [ "ELEMENT (FST(L_ad_inE (a' tp')))31" J % 

IMP_RES_TAC IBA_RBADY_ASSUMPS 
THEN SUBOOAL_THBN 

"CHANOBS_FALSE (bsig X_erqt_0 p')tp'" ASSUME_TAC 

THENL [ 

% Subgoal 1.1: "CHANOES_FALSE (bsig I_orqt_0 p')tp'" % 
REWRITE_TAC [CHANOES_FALSE ; bsig ; BSel ] 

THEN BBTA_TAC 
THEN CONJ_TAC 
THENL [ 

% Subgoal 1.1.1: "(tp' « 0) \/ SND ( l_crqt_0 (p ' ( tp ' - 1)))" % 
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» 


] 


DISJ2_TAC 
THEN PREC_TAC 

THEN RBWRITE_ASSOM_TAC ("tp' > 0", [SYM_ROLE ONE_LBSS_BQ] ) 

THEN IMP_RES_TAC (SPBCL t"tp' itimaC"/ "1"] SOB_ADD) 

THEN IMP_RES_TAC (SYM_ROLB P_rqt_ISO) 

THEN SPEC_UNDXSCH_MATCH_RHS_TAC ( "P_rqtS ( S ' (t + 1) ) ", "tp' -1") 

THEN ASM_RBWRITE_TAC t ] 

THEN DISCH_TAC 

THEN IMP_RES_TAC I_crqt_ISO 

THEN ASM_REWRITB_TAC U 

% Subgoal 1.1. 2t "-SND (I_orqt_0(p ' tp'))" % 

PRBC_TAC 

THEN IMP_RES_TAC RST_PALSE 

THEN SPEC_ASSOM_TAC (" lu' i timoC . SND (RstB (a ' u')) = F", "ti ' i timeC") 
THEN IMP_RES_TAC P_RQT_PRBVBNTS_NEW_STATE_PD 
THEN UNDISCH_TAC 

"~P_rqtS (a ' tp') ==> tp' > 0 ==> ~New_State_Ia_PD s' e' tp'" 
THEN FILTER_ASM_REWRITS_TAC 

(\tm. not (tin = "P_f sm^statsS (s ' (tp'itimeC)) = 

PT_f sm_atateS (s (titimeT))")) 

[ New_St at e_Is_PD ] 

THEN DISCH_TAC 

THEN XMP_RKS_TAC NTH_ALE_SIG_PB_TRUB 

THEN ASM_RBWRITB_ASSOM_TAC ( " -SND ( L_ads_B ( • ' ( tp ' 1 1 imeC )))",[)) 

THEN ASM_RBWRITE_ASSOM_TAC ( "SND ( L_dan_B (s' ( tp ' 1 timoC )))",[]) 

THEN ASM_REWRITE_ASSOM_TAC 

( "ELEMENT (FST (L_ad_inB (a ' (tp' itimaC) ) ) )31", t 1 ) 

THEN IMP_RKS_TAC I_crqt_ISO 
THEN FILTBR_ASM_REWRITE_TAC 

(\tm. not (tm » "P_£sm_atataS (a ' (tp'itimeC)) = 
PT_£sm_stataS (a (t itimaT) ) ") ) 

[Naw_Stata_Ia_PD] 


% Subgoal 1.2 i [ "CHANGE S_FALSE (baig l_crqt_0 p')tp'" ) % 

RBS_TAC 

THEN NROLB_ASSDM_TAC 

("STABLB_TROB_THEN_FALSB(bsig I_cgnt_B •') (tp' ,V' )", 

(BETA_ROLB o ( REWRITE_RDLE (STABLE_TRUE_THKN_FALSE j be ig ; BSel ] ) ) ) 
THEN POP_ASSUM_LIST ( MAP _K VERY ( \thm. STRXP_ASSOME_TAC thm) ) 

THEN SPEC_ASSUM_TAC 

("It. tp' <= t /\ t < v' ==> SND ( I_cgnt_E ( a ' t) ) ", "tp' itimaC") 
THEN AS SUMB_TAC (SPEC "tp' ItimaC" LESS_EQ_REFL) 

THEN RES_TAC 

THEN ASM_REWRITB_ASSUM_TAC ( " SND ( I_cgnt_E ( a ' ( tp ' i t imaC )))",[]) 

THEN IMP_RES_TAC PREC 
THEN RBWRITB_ASSUM_TAC 

("PStataAba pti a a p t s' a' p' tp'", [PStateAba] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSDME_TAC thm)) 

THEN RBS_TAC 

THEN ASM_RBWRITE_ASSUM_TAC 

("P_rqtS(a' (tp'itimeC)) - PT_rqtS(a (titimeT))",!]) 

THEN ASM_RBWRITB_ASSUM_TAC 

("ELEMENT (FST(L_ad_inE (a' (tp'itimeC) ) ) )31", [] ) 

THEN DELETB_ASSUM_TAC 

"P_£am_»tataS (a ' (tp'itimeC)) = PT_f sm_8tateS (a (titimeT))" 

THEN DNDISCH_TAC "ale_sig_ib p' ti'" 

THEN RBWRITE_TAC [ala_aig_ib;BSel] 

THEN BBTA_TAC 

THEN IMP_RES_TAC I_mala_ISO 
THEN IMP_RE S_TAC I_rale_ISO 
THEN IMP_RES_TAC I_oala_ISO 
THEN ASM_REWRITE_TAC [] 

THEN ASM_CASBS_TAC "New_State_Is_PH s' a' ti'" 

THEN REWRITE _ASSUM_TAC ("New_State_Is_PH s' a' ti' ", [Naw_State_Xa_PH] ) 
THEN ASM_REWRITE_TAC [WIRE jprove_constructora_distinot wire; 

SYM_ROLE (prova_constructora_distinct wire) ] 

THEN RBWRITE_ASSDM_TAC ( "~New_State_Ia_PH S' a' ti ' [New_State_Ia_PH] ) 
THEN ASM_RBWRXTE_TAC [WIRE;prove_construotora_distinct wire; 

sym_RULB (prova_constructors_distinct wire) ] 


112 



% Subgoal 2t [ " ~New_St at e_I s_PA s' e' tp"' ] % 

IMP_RBS_TAC IBUS_ALB_IMP_PA 

THEN ASM_REWRITB_ASSUM_TAC ( "~New_State_Is_PA 8' e' tp '",[]) 

THEN RES_TAC 

] 

) 1! 

let IBUS_TRANS_BXISTS = TAC_PROOF 

( ( [], 

"! (t itimeT) (pti :PTI) 

(s itimeT->pt_state) (e itimeT->pt_env) (p :timeT->pt_out) 

(s' !timeC->pc_state) (e' : timeC ->pc_env) (p' : timeC->pc_out) 

(tp' itlmeC) . 

PCSet_Correet s' e' p' =«=> 

NTH_TIME_TRUE t (ale_sig_pb 0 ') 0 tp' ==> 

(tp' > 0) «> 

PT_Exeo pti sept ==> 

PT_PreC pti sept ==> 

PStateAbs pti s ep t s' e' p' tp' ==> 

IBA_PMaster pti e p t e' p' ■» 

Rst_Slave pti e t e' ==> 

( ?ti ' t timeC . STABLE_FALSE_THEN_TRUE 

(ale_sig_ib p') (tp' ,ti' ) ) ") , 

REPEAT STRIP_TAC 
THEN ASM_CASBS_TAC 

"-ELEMENT (FST ( L_ad_inB (e' tp'))) 31 /\ New_State_Is_PA s' e' tp'" 

THENL [ 

% subgoal li [ "-ELEMENT (FST (L_ad_inE (e ' tp')))31 /\ 

New_State_Is_PA s' e' tp'" ] % 

EXISTS_TAC "tp't timeC" 

THEN REWRITE_TAC [ STABLB_FALSE_THEN_TRUE ] 

THEN BETA_TAC 

THEN POP_ASSUM_LIST (MAP_EVERY ( \thjn. STRIP_ASSUME_TAC thm) ) 

THEN XMP_RBS_TAC ALE_SXO_IB_TRDE_ON_TP ' 

THEN ASSUME_TAC (SPEC "tp' I timeC" LBSS_BQ_REFL) 

THEN ASM_RBWRITB_TAC ( ] 

THEN OEN_TAC 

THEN ASM_CASES_TAC "tp' <- t'" 

THENL [ 

% subgoal l.lt [ "tp' <« t'" ] % 

IMP_RES_TAC (RIMP NOT_LESS) 

THEN ASM_REWRITE_TAC [ ] 

; 

% Subgoal 1.2i [ "-tp' <= t'" ] % 

IMP_RBS_TAC NOT_LBSS_EQ_LESS 
THEN ASM_RBWRITE_TAC [ ] 

] 

; 

% Subgoal 2t [ " - ( -ELEMENT ( FST ( L_ad_inE ( e ' tp')))31 /\ 

New_State_Is_PA s' e ' tp ' ) " ] % 

IMP_RE S_TAC ALE_SIO_IB_TRUE_AFTBR_TP ' 

THEN EXISTS_TAC "ti'i timeC" 

THEN ASM_REWRITE_TAC [ ] 

] 

);; 

let OFFSET_NEW_STATE_PD_FROM_TI'_TO_T'SACK a TAC_PROOF 

(([], 

" 1 (u' ti' t'sack t timeC) (s' itimeC->pc_state) (e' itimeC->pc_env) 

(p' ttimeC->pc_out) . 

PCSet_Correct s' e' p' »«> 

(tp' > 0) ««> 

PT_Exec pti s e p t ■=> 

PT_PreC pti sept ==> 

PStateAbs pti s e p t s' e' p' tp' ==> 

IBA_PMaster pti a p t a' p' ■» 

Rst_slave pti e t e' «=> 
ale_sig_ib p' ti' ==> 

STABLB_FALSE_THBN_TRWE (Sack_Sig_Is_TROE s' o') (ti' , t'sack) ==> 
((ti'+u'+l) <= t'sack) ==> 

New_State_Is_PD s' e' (ti'+u'+l)"). 
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INDUCT_TAC 
THENL [ 

% Subgoal It (Base Case) % 

REWRITB_TAC ( STABLE_FALSB_THBN_TRUE ; Sack_S ig_Ia_TRUE 1 ADD_CLAUSBS ] 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC IBCS_ALB_IMP_PA 

THEN SUBOOAL_THBN 

"New_State_Is_PA s' e' ti' ==> (P_f sm_stateS (s' (ti'+l)) = PA)" 
IMP_RES_TAC 

THENL t 

% Subgoal 1.1: (New subgoal) % 

RBWRITB_TAC [New_State_Is_PA] 

THEN DISCH_TAC 

THEN IMP_RBS_TAC P_f sm_state_ISO 

THEN SPBC_UNDISCH_MATCH_LHS_TAC ("P_£sm_stateS (s (t+1) ) ", "ti' :timeC") 
THEN ASM_REWRITE_TAC [] 

THEN DISCH_TAC 

THEN ASM_RBWRITB_TAC [] 

; % Subgoal 1.3: [ "P_f sm^stateS (a ' (ti ' + 1)) = PA" ) % 

ASStJMB_TAC 

( PUKE_ONCB_REWRITE_RULE 

[ADD_SYM] (SPBCL ["1" j "ti ' : timeC") LBSS_BQ_ADD) ) 

THEN IMP_RBS_TAC P_PSM_RST_FALSE 
THEN IMP_RES_TAC IBCS_ALE_IMP_FSM_RQT 
THEN ASM_REWRITE_TAC 

[New_State_Is_PD; 

SYH_RULB (prove_construotors_distinct p£ am_ty_Axiom) ] 

1 

I 

% Subgoal 3: (Induction step) % 

REWRITB_TAC [ ADD1 ; ADD_ASSOC ] 

THEN POP_ASSOM_LIST 

(MAP_EVERY (\thm. ASSUME_TAC ( REWRITE_RULE [ ADD1 j ADD_ASSOC ] thm) ) ) 
THEN REPEAT STRIP_TAC 

THEN ASSnME_TAC (SPBCL [" ( ti ' +U ' ) +1" ; "1") LE SS_EQ_ADD ) 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 
THEN RES_TAC 
THEN SOBOOAL_THBN 

"New_State_Is_PD s' e' ((ti'+u')+l) «==> 

(P_fsm_statoS (s' ( ( (ti' +u' ) +1) +1) ) = PD)" 

IMP_RES_TAC 

THENL [ 

% Subgoal 3.1: (New subgoal) % 

RBWRITB_TAC [New_State_Is_PD] 

THEN DISCH_TAC 

THEN IMP_RES_TAC P_f snv_state_ISO 

THEN SPBC_ONDISCH_HATCH_LHS_TAC ("P_f snustateS (s (t+1) ) ", " ( ti ' +u' ) +1") 
THEN ASM_RBWRITE_TAC [] 

THEN DISCH_TAC 

THEN ASM_RBWRITB_TAC [ ] 

I 

% Subgoal 3.3: [ "P_fsm_stateS (s ' ( ( (ti' + u') +1) +1)) = PD" ) % 
SUBGOAL_THBN "~P_f sm_aackS (s' ( ( (ti ' +u' ) +1) +1) ) " ASSOME_TAC 
THENL [ 

% Subgoal 3.3.1: (New subgoal) % 

NRULB_ASStJM_TAC 

( "STABLB_FALSE_THEN_TRUE ( Sack_Sig_Is_TRUE s' e ' ) ( ti ' , t ' sack) " , 
(BETA_ROLB o ( REWRITB_RULE [STABLE_FALSE_THEN_TRUE] ) ) ) 

THEN POP_ASSOM_LXST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN SPBC_ASSUM_TAC 

("It. ti' <= t /\ t < t'sack ==> 

~Saek_Sig_Is_TROE s' e' t", " (ti' +u' ) +1") 

THEN SUBQOAL_THEN "ti' <= ((ti' + u') +1)" ASSUMB_TAC 
THENL [ 

% Subgoal 3. 3. 1.1: (New subgoal) - "ti' <= ((ti' + u') + 1)" % 
REWRITE_TAC £ASS0C_ADD_ADD1;LESS_EQ_ADD] 

I 

% Subgoal 3. 3. 1.3: (Continue) % 

SOBOOALJTHBN "((ti' + u' ) +1) < t ' sack" ASSUMB_TAC 
THENL [ 

% Subgoal 2. 3. 1.2.1: (New subgoal): "((ti'+u') + 1) < t'sack" % 
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ASSUME_TAC 

(SPECL ["l"j"ti'+u'"3 

( PtJRB_ONCB_REWRITE_RULE [ADD_SYM] LESS_BQ_ADD ) ) 

THEN XMP_RES_TAC LESS_EQ_TRANS 

THEN IMP_RES_TAC (RBWRITB_RULE [AUDI] SUC_LE_XMP_LT) 

» 

% Subgoal 2. 2. 1.2. 2: (Continue) % 

RES_TAC 

THEN NRULE_ASSUM_TAC 

( "~Sack_Sig_Is_TRUE s' e'((ti' + u') + 1)", 

(BETA_ROLB o 

(RBWRITE_RULE [Sack_Sig_Ie_TRUB)New_State_Is_PD] ) ) ) 
THEN IMP_RBS_TAC P_f sm_sack_ISO 
THEN ASM_RBWRITE_TAC[] 

1 

] 

; 

% Subgoal 2.2.2s [ "~P_£sm^sackS(s' ( ( (ti' + u') + 1) + 1))" ] % 

ASSUHE.TAC 

( PURE_ONCE_REWRITE_RULE 

[ADD_SVM] (SPECL ["1"; " (ti ' +U' ) +1"] LESS_EQ_ADD) ) 

THEN IMP_RES_TAC P_FSM_RST_PALSE 
THEN ASH_RBWR1TE_TAC 

[New_State_Is_PD»prove_constructors_distinot pf sm_ty_Axiom; 
SYM_RULR (prove_constructors_distinct p£sm_ty_Axiom) ] 

] 

] 

I 

)>; 

let NBW_STATE_PD_FROM_TI ' _TO_T ' SACK = TAC_PROOF 

(([], 

"1 (t' ti' t'sack stlmeC) (s' stimeC->pc_state) (e' stimeC->pc_env) 

(p' stimeC->po_out) . 

PCSet_Correct s' e' p' *=> 

(tp' > 0) 

PT_Bxeo pti sept 
PT_PreC pti s e p t ■■> 

PStateAbs pti s e p t s' e' p' tp' s=> 

IBA_PMaster pti e p t e' p' ==> 

Rst_Slave pti e t e' ==> 
ale_sig_ib p' ti' «•> 

STABLE_FALSB_THBN_TRUB ( Sack_Sig_Xs_TRUE s' e') (ti',t'saok) ==> 

( (ti'+l) <a t ' ) ==> 

(t’ <= t’sack) ==> 

New_State_Is_PD s' e' t'"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPEC "t'-ti'+l" OFFSET_NEW_STATE_PD_FROM_TI ' _TO_T ' SACK ) 

THEN SPBCL_ASStJM_TAC 

("It' ti'". (ti' + < ( t ' - (ti'" +1)) +1)) <= t'sack ==> 

New_State_Is_PD s' e'(ti' + ((t' - (ti'" + 1) ) + 1))", 
t"t' :timeC'';"ti' ttimeC"] ) 

THEN SUBOOAL_THBN 

"(ti' + ( ( t ' - (ti' + 1)) + 1)) = t'" 

(\thm. RULB_ASSUM_TAC (REWRITE_RDLE [tbm] ) ) 

THENL [ 

% Subgoal Is -New subgoal- "ti' + ( ( t ' - (ti' +1)) +1) = t'" % 
RBWRITE_TAC [SXM_RBLE (ASSOC_SaB_SUBl) ] 

THEN ASSOMB_TAC ( REWRITE_RULE [] (REDUCE_CONV "1<=1") ) 

THEN XMP_RBS_TAC SUC_LB_IHP_LE 


THEN SUBOOAL_THBN "1 
THENL [ 

<* (t‘ 

’ - ti')" ASSDME_TAC 

% Subgoal 1.1s "1 

A 

11 

n 

’ - ti')" 

[ 

"(ti' 

+ 1) <= t'" 3 % 


REWRITB_TAC 

[SYM_RULE (SPECL ["1"; "t ' -ti ' "; "ti ' s timeC") LESS_BQ_MONO _ADD_EQ) ] 
THEN ASSHME_TAC (SPEC "ti's timeC" LESS_BQ_REFL) 

THEN IMP_RES_TAC 

(SPECL ["t' stimeC";"ti' stimeC"»"ti' stimeC") ASSOC_SUB_ADDl ) 
THEN ASM_RBWRITE_TAC [S0B_BQCAL_O> ADD_CLAUSES] 

THEN PDRE_ONCB_REWRITB_TAC [ADD_SVM] 

THEN ASM_REWRITE_TAC [ ] 


115 



% Subgoal 1.2s [ "1 <■= (t' - ti')" 1 % 

IMP_RBS_TAC (SPECL ["t ' -ti ' " j "1"> "1"] ASS0C_SUB_ADD1) 

THEN ASM_REWRITE_TAC [SUB_EQUAL_0 ; ADD_CLAUSES] 

THEN PORB_ONCB_REWRITE_TAC [ADD_SYM] 

THEN ASStJMB_TAC (SPEC "ti'stimeC" LESS_EQ_REFL) 

THEN IMP_RES_TAC 

(SPECL t"t' :timeC")"ti' itimoC">"ti' ttimeC"] ASS0C_SUB_ADD1 ) 
THEN ASM_RBWRITB_TAC [SOB_RQUAL_0; ADD_CLAUSES] 


% Subgoal 2 % 

RBS_TAC 

] 

)ll 

lot OFFSBT_NBW_STATB_PD_FROM_TI'_TO_T'SACK_1 ■ TAC_PROOF 

(< [], 

"1 (u' ti' t'sack stimeC) (s' stimoC->pc_state) (o' : timsC->pc_env) 

(p' itimeC->pc_out) . 

PCSet_Corroct s' o' p ' ==> 

(tp' > 0) «»> 

PT_Exec pti sept ==> 

PT_ProC pti s o p t =»> 

PStatoAbs pti sopts' o'p' tp' ■=> 

IBA_PMastor pti o p t o' p' ==> 

Rst_Slavo pti o t o' ==> 
alo_sig_ib p' ti' ==> 

STABIiE_FALSE (Sack_Sig_Is_TRCE s' o') ( ti' , t ' sack-1) ==> 
((ti'+u'+l) <« t'sack) ==> 

New_Stato_Is_PD s' o' (ti'+u'+l)"), 

INDOCT_TAC 
THENL [ 

% Subgoal It (Base Case) % 

RBWRITB_TAC [STABLE_FALSE>Sack_Sig_ls_TRDE; ADD_CLAUSES] 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THEN IMP_RBS_TAC IBCS_ALE_IMP_PA 

THEN SUBQOAL_THEN 

"Now_Stato_Xs_PA s' o' ti' ==> (p_£sm_statoS (s' (ti'+l)) = PA)" 
IMP_RES_TAC 

THENL [ 

% subgoal l.lt (New subgoal) % 

REWRI TB_TAC [Now_Stato_IS_PA] 

THEN DISCH_TAC 

THEN IMP_RES_TAC P_£sm_stato_ISO 

THEN SPEC_UNDISCH_MATCH_LHS_TAC ( "P_f sn\_«tateS (s ( t+1) ) ", "ti ' i timeC") 
THEN ASM_REWRXTB_TAC (] 

THEN DISCH_TAC 

THEN ASM_REWRITE_TAC [ ] 

; % Subgoal 1.2: [ "P_£sm_»tat#S(s ' (ti' + 1)) « PA" ] % 

ASSUME_TAC 

( PORB_ONCE_REWRITB_RDLE 

[ADD_SYM] (SPECL C"l" 1 "ti ' t timoC" ] LESS_BQ_ADD) ) 

THEN IMP_RBS_TAC P_FSM_RST_FALSB 
THEN IMP_RBS_TAC IBUS_ALE_XMP_FSM_RQT 
THEN ASMJREWRITE_TAC 

(Naw_StatO_Is_PD j 

SYM_ROLE (prove_conotructors_distinct p£sm_ty_Axiom) ) 


% Subgoal 2t (Induction stop) % 

REWRITB_TAC [ADDlj ADD_ASSOC] 

THEN POP_ASSDM_LIST 

(MAP_EVERY ( \thm. ASSDMB_TAC ( RBWRITE_ROLE [ADD1;ADD_ASS0C] thm) ) ) 
THEN REPEAT STRIP_TAC 

THEN AS3UMB_TAC (SPECL [" (ti'+u' ) +1";"1"] LESS_EQ_ADD ) 

THEN IMP_RBS_TAC LBSS_BQ_TRANS 
THEN RES_TAC 
THEN SUBOOAL_THEN 

"New_State_Is_PD s' e' ((ti'+u')+l) =*> 

(P_£s»_»tateS (s' (( (ti'+u' ) +1) +1) J = PD)" 
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IMP_RBS_TAC 

THBNL [ 

% Subgoal 2.1: (New subgoal) % 

REWRITB_TAC [Now_State_Is_PD] 

THEN DISCH_TAC 

THEN IMP_RES_TAC P_f sm_Stato_ISO 

THEN SPEC_tJNDISCH_MATCH_LHS_TAC ( "P_f sm_statoS (s (t+1) ) ", " (ti ' +u ' ) +1" ) 
THEN ASM_REWRITE_TAC [] 

THEN DISCH_TAC 

THEN ASM_REWRITE_TAC[] 

> 

% subgoal 2.2: [ "P_fsm_statoS (s' ( ( (ti' 4 u') 4 1) 4 1) ) = PD" ] Ss 
SUBQOAL_THBN "-P_f snusackS (s' ( ( (ti ' 4U ' ) 4l) 4l) ) " ASSUME_TAC 
THBNL [ 

% Subgoal 2.2.1: (New subgoal) % 

IMP_RBS_TAC 

( SPBCL [ " ( ( t i ' 4U ' ) 4l ) 4l" ; "t ' sack : timeC" i "1"] LESS_EQ_MONO_SUB ) 

THEN ASSUMB_TAC 

(REWRITB_ROLB [ADD_CLAUSES] 

(REDUCE_RULE (SPECL ["(ti'4U')4l">"l";"l") ASS0C_ADD_SDB1) ) ) 
THEN ASM_REWRITE_ASSOM_TAC 

("((((ti' 4 U') 4 1) 4 1) - 1) <= (t'sack - 1) ", I] ) 

THEN NRULB_ASSUM_TAC 

( "STABLB_FALSE (Sack_Sig_Ia_TRDB s' e ' ) (ti ' , t ' sack - 1)", 
(BBTA_RULB o ( REWRITE_RDLB [STABLE_FALSE] ) ) ) 

THEN POP_ASSUM_LIST ( MAP _E VERY (\thm. STRIP_ASSOME_TAC thm) ) 

THEN SPBC_ASStJM_TAC 

("It. ti' <« t /\ t < (t'sack - 1) «s> 

-Sack_Sig_Is_TRUE s' s' t", " (ti'4u' ) 4l") 

THEN SDBOOAL_THEN "ti' <= ((ti' 4 u' ) 4 1) " ASSDME_TAC 
THBNL [ 

% Subgoal 2. 2. 1.1: (Now subgoal) - "ti' <■ ((ti' 4 u') 4 1)" % 
RBWRITB_TAC [ ASS0C_ADD_ADD1 ; LESS_EQ_ADD ] 

; 

% Subgoal 2. 2. 1.2: (Continue) % 

RES_TAC 

THEN NRDLB_ASSDM_TAC 

( "~Sack_Sig_Is_TRDE s' s'((ti' 4 u') 4 1)", 

(BBTA_RULE o 

( RBWRITE_RtJLE [Sack_Sig_Is_TRUE;New_State_Is_PD] ) ) ) 
THEN IMP_RES_TAC P_f sm_sack_ISO 
THEN ASM_REWRITE_TAC I ] 

] 

; 

% Subgoal 2.2.2: ( "~P_fsnv_sackS(s' ( ( (ti' 4 u') 4 1) 4 1))" ] % 

ASSUME_TAC 

( PURB_ONCB_RBWRITE_RULB 

[ADD_SYM] (SPECL ["1"; " (ti' 4U' ) 4l"l LESS_EQ_ADD) ) 

THEN IMP„RBS_TAC P_FSM_RST_FALSE 
THEN ASM_REWRITB_TAC 

tNsw_Stats_Is_PD;provs_constructors_distinct pf sm_ty_Axiom; 
SYM_RULB (provo_constructors_distinct pf sm_ty_Axiom) ] 

] 

] 

) 

)>; 

lot NBW_STATE_PD_FR0M_TI'_T0_T'SACK_1 - TAC_PROOF 

((t), 

"1 (t' ti' t'sack :timeC) (s' :timoC->pc_state) (o' :timoC->pc_env) 

(p' :timoC->pc_out) . 
pcset_Corroct s' o' p' «■> 

(tp' > 0) ==> 

PT_Bxoc pti s a p t »> 

PT_ProC pti s e p t ■=> 

PStatoAbs pti s apt s' e'p' tp' ==> 

IBA_PMastar pti op t o' p' ~=> 

Rst_Slava pti a t a' ==> 
ale_sig_ib p' ti' ==> 

STABLB_FALSB (Sack_Sig_Is_TROE 8' o') (ti ', t ' sack-1) ==> 

( (ti'4l) <= t') mm> 

(t ' <= t'sack) ==> 
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New_State_Is_PD a' a' t , 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPEC "t'-ti'+l" OFFSBT_NBW_STATE_PD_FROM_TI ' _TO_T ' SACK_1 ) 
THEN SPECL_ASSUM_TAC 

("It' ti'". (ti' + ( (t ' - (ti'" +1)) +1)) <= t ' sack ==> 

New_State_Is_PD s' e'(ti' + ((t' - (ti'" + 1) ) + 1))", 
["t' itimeC"; "ti' itimeC"] ) 

THEN SUBQOAL_THEN 

"(ti' + ((t' - (ti' +1)) +1)) = t'" 

(Sthm. RULE_ASSOM_TAC ( REWRITE_RULE [thm] ) ) 

THENL [ 

% Subgoal li -Now subgoal- "ti' + ( (t ' - (ti' +1)) +1) » t ' " % 

REWRITE_TAC [SYM_RULE ( ASS0C_S0B_SUB1 ) J 

THEN ASSDMB_TAC ( REWRITE_RULE f] (REDOCE_CONV "1<=1") ) 

THEN IMP_RES_TAC SUC_LB_IMP_LE 

THEN SUBOOAL_THBN "1 <= (t' - ti')" ASSUME_TAC 
THENL [ 

% subgoal 1.1s "1 <= (t' - ti')" 

[ "(ti' + 1) <= t'" ) % 

RBWRX TE_TAC 

[SYM_RULE (SPBCL t"l"> "t ' -ti '"» "ti ' t timeC"] LBSS_EQJMONO_ADD_EQ) ] 
THBN ASSOME_TAC (SPEC "ti' itimeC" LESS_EQ_REFL ) 

THEN IMP_RBS_TAC 

( SPBCL ("t' «timaC"!"ti' itimeC";"ti' itimeC"] ASSOC_SUB_ADDl) 

THBN ASM_RBWRITB_TAC [ SUB_EQUAL_0 j ALD_CLAOSES ] 

THBN PORE_ONCE_REWRITE_TAC [ADD_SYM] 

THEN ASM_RBWRITE_TAC [ ] 

I 

% Subgoal 1.2t [ "1 <= (t' - ti')" ] % 

IMP_RBS_TAC (SPBCL t"t ' -ti ' "> "1"; "1"] ASS0C_SUB_ADD1 ) 

THBN ASM_REWRITE_TAC [SOB_EQUAL_0;ADD_CLAUSES] 

THBN PORE_ONCE_REWRITE_TAC [ADD_SYM] 

THEN ASSUME_TAC (SPEC "ti'ltimoC" LBSS_BQ_REFL) 

THEN IMP_RES_TAC 

(SPBCL ["t' itimoC";"ti' itimoC";"ti' ItimeC"] ASSOC_SOB_ATDl) 

THBN ASM_REWRITE_TAC t SUB_EQUAL_0 > ADD_CLAUSES ] 


% Subgoal 2 % 

RES_TAC 

] 

);; 

lot OFFSET_NBW_P_RQT_FALSE„FROM_T'SACK_TO_TP'SOC = TAC_PROOF 

(([], 

"I (u' t'sack tp'suc itimeC) (s' itimoC->pc_state) (o' itimoc->po_onv) 

(p' itimoC->pc_out) . 

PCSot_Corroct s' o' p' ==> 

(tp' > 0) =■> 

PT_Bxac pti s a p t -■=> 

PT_ProC pti s o p t ==> 

PStataAbs pti s a p t s' o' p' tp' --> 

XBA_PMastar pti e p t o' p' ■»> 

Rst_Slava pti a t a' ==> 

Saok_Sig_Is_TRUE s' a' t'sack ==> 

STABLE_FALSE_THBN_TRUE (alo_sig_pb o') (t ' sack, tp'suc) ==> 
((t'sack+u') < tp'suc) 

-Naw_P_Rqt_I»_TRDB s' o' (t'sack+u')"), 

INDUCT_TAC 
THENL [ 

% Subgoal li (Baso Case) % 

REWRITE_TAC 

[ADD_CLAUSES > STABLB_FALSE_THBN_TRDB j alo_s ig_pb ; BSol ; Saek_Sig_Is_TRUE ] 
THBN BBTA.TAC 
THBN REPEAT STRIP_TAC 
THEN SPEC_ASSDM_TAC 

("It. t'sack <■ t /\ t <= (tp'suc - 1) •=> 

- ( ~SND ( L_ads_E ( a ' t) ) /\ SND ( L_don_E ( e ' t) ) ) ", "t 'sackitimoC") 
THBN ASSUMB_TAC (SPEC "t ' sacks timeC" LESS_EQ_REFL ) 

THBN RBS.TAC 

THEN ONDXSCH_TAC "Now_P_Rqt_Is_TRBE s’ o' t'sack" 

THBN ASM_RBWRITE_TAC tNow_P_Rqt_Is_TR0E] 
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% Subgoal 2: (Induction Step) % 

RBWRITE_TAC [ADD1; ADD_ASSOC] 

THEN REPEAT STRIP_TAC 

THEN ASSUME_TAC (SPECL t "t ' »ack+U ; "1" J LBSS_EQ_ADD) 

THEN IMP_RES_TAC LESS_BQ_LBSS_ TRANS 
THEN RBS_TAC 
THEN SUBOOAL_THBN 

"~New_P_Rqt_Ia_TRUE ■' e' (t'aack + u') ==> 

~P_rqtS (s' ( (t'aack + u') + 1))" IMP_RES_TAC 

THENL [ 

% Subgoal 2.1i -New aubgoal- "~New_P_Rqt_Ia_TRUE a' e' (t'aack + u') ==> 

~P_rqtS (s' ((t'sack + u') + 1))" % 
RBWRITE_TAC [New_P_Rqt_Is_TRBB;New_State_Is_PD] 

THEN BETA_TAC 
THEN DISCH_TAC 
THEN IMP_RBS_TAC P_rqt_ISO 
THEN ASM_REWRITE_TAC [] 

; 

% Subgoal 2.2i [ "-P_rqtS (a ' ( (t 'sack + u') + 1))" ] % 

NRULB_ASSOM_TAC 

( "STABLB_FALSE_THBN_TRUE ( ale_a ig_pb e ' ) ( t ' s ack , tp ' sue ) " , 

(BETA_ROLE o ( REWRITB_RDLB [STABLE_FALSE_THBN_TRUE; ale_aig_pb; 

BSel] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY ( \thm. STRIP_ASSDME_TAC thm) ) 

THEN SPEC_ASSOM_TAC 

("!t. t'aack <« t /\ t <= (tp'suc - 1) ==> 

~ ( -SND ( L_ads_E ( e ' t) ) /\ SND ( L_den_E ( e ' t )))"," (t ' aack+u ') +1") 
THEN IMP_RES_TAC (REWRITB_RULE [PRE_SUB1] LT_IMP_LE_PRB ) 

THEN ASSUME_TAC (SPECL ["t 'sacks timeC"; "u' s timeC"] LESS_EQ_ADD ) 

THEN IMP_RES_TAC LESS_BQ_TRANS 
THEN RES_TAC 

THEN ONDISCH_TAC "New_P_Rqt_Is_TRUE a' e'( (t'aack + u') +1)" 

THEN ASM_RBWRITE_TAC 

[New_P_Rqt_Ia_TRUE ; COND_TRUE_TRUE ; COND_FALSE_CHOICES ] 

] 

] 

);; 

let NEW_P_RQT_FALSB_PROM_T ' SACK_TO_TP ' SOC = TAC_PROOF 

(([], 

"1 (t' t'aack tp'suc stimeC) (s' stimeC->pc_state) (e' : timeC ->pc_env) 

(p' :timeC->pc_out) . 

PCSet_Correct s' a' p' ==> 

(tp' > 0) «=> 

PT_Exec pti sept 
PT_PreC ptl sept «=> 

PStateAba ptl septa' a' p' tp' »> 

IBA_PMaster pti a p t e' p' »»> 

Rst_Slave pti eta' ■»> 

Sack_Sig_Ia_TRUB a' e ' t'aack ==> 

STABLB_FALSB_THEN_TRUE (ale_sig_pb e'} ( t ' sack, tp ' sue) ==> 

(t'aack <» t') ==> 

(t' < tp'auc) »»> 

-New_P_Rqt_Ia_TRHE a ' a ' t '" ) , 

REPEAT STRIP_TAC 
THEN IMP_RES_TAC 

( SPEC "t ' -t ' sack" OFFSET_NEW_P_RQT_FALSE_FROM_T ' SACK_TO_TP ' SDC ) 

THEN SPECL_ASSOH_TAC 

("Jt' t'aack". (t'sack + (t' - t'aack")) < tp'auc »=> 

~New_P_Rqt_Is_TRUE s' e' (t'sack + (t' - t'aack"))", 
("t ' i timeC"; "t 'sacks timeC"] ) 

THEN IMP_RBS_TAC 

(SPECL !"t' i timeC" l "t'sack: timeC") 

(PCRE_ONCE_REWRITE_RULB [ADD_SYM] S0B_ADD) ) 

THEN ASM_REWRITE_ASSUM_TAC 

("(t'aack + (t' - t'sack)) < tp'auc «»> 

-New_P_Rqt_Ia_TRUE s' e'(t'sack + (t' - t'aack))",!]) 

) ) ; 

let M_LESS_0_LBSS = TAC_PROOF 

(([], 
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"1 m n . (men) =*> (0 < n)"). 
INDOCT_TAC 

THEN REPEAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 

THEN IMP_RBS_TAC LT_IMP_LE 
THEN IMP_RBS_TAC SIJC_LB_IMP_LT 
THEN RES_TAC 
);; 


let TRANS_ONTO = TAC_PROOF 

<<[]. 

"I (ti' tp'euc i timed (t itlmeT) 

(s' : t imeC - >pc_a t at e ) (o' itiineC->pc_env) (p' ttimeC->pc_out) 

(s i tlmeT->pt_atate) (e i timeT->pt_env) (p i timeT->pt_out ) . 

PCSet_Correct s' o' p' ==> 

(tp' > 0) »»> 

PT_Exec pti sept =*> 

PT_PreC pti sept ««> 

PStateAbs pti septs'e'p'tp' ==> 

IBA_PMaster pti e p t e' p' ==> 

Rst_Slave pti e t e' ==> 

NTH_TIMB_TRUB t (ale_sig_ib p') 0 ti' ==> 

STABLB_FALSB_THBN_TRUB (ale_sig_pb S') (ti'+l,tp' sue) = = > 
TROB_THEN_STABLE_FALSE (alo_sig_ib p') (ti' ,tp' sue-1) ") , 
EEWRITB_TAC [TROE_THBN_STABLE_FALSB] 

THEN BBTA_TAC 

THEN RBPBAT STRIP_TAC 

THEN ASM_RBWRITB_TAC [] 

THENL [ 

% Subgoal li "ti' <= (tp'suc - 1)" % 

UNDISCH_TAC "STABLB_FALSE_THBN_TRUE (ale_sig_pb e')(ti' + 1, tp’suc)" 
THEN RBWRITB_TAC [ STABLB_FALSB_THEN_TRUE ] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPECL ["ti' +1" j "tp' SUCitimeC" j "1"] LESS_BQ_M0N0_SUB ) 
THEN ASSOME_TAC (RBWRITB_RULE [] (REDOCE_GONV "1<=1") ) 

THEN IMP_RE S_TAC 

(REWRITE_RULE [SUB_EQUAL_0>ADD_CLAUSES] 

(SPECL ["ti' it±meC";"l"j"l"] ASSOC_ADD_SUBl ) ) 
THEN ASM_RBWRITB_ASSUM_TAC 

< " < <ti ' + i) - i) <= (tp'suc - i)",n> 

THEN ASM_REWRITB_TAC [ ] 

I 

% Subgoal 2i "ale_sig_ib p' ti'" % 

SOBOOAL_THEN 

"It. NTH_T IME_TR0E t(ale_sig_ib p')0 ti' ==> ale_sig_ib p' ti'" 
IMP_RE S_TAC 
THEN INDUCT_TAC 

THEN RBWRITBJTAC [NTH_TIMB_TROE; STABLE_FALSE_THBN_TROE ; ZERO_LESS_EQ] 
THEN RBPBAT STRIP_TAC 
THEN ASM_RBWRITB_TAC [ ] 


I 


% Subgoal 3i [ "ti' < t'" ] 

[ "t' (tp'suc - 1)" ] 
[ "ale_sig_ib p' t'" ] % 


ASM_CASKS_TAC 

"?t'aack. Saek_Sig_Ia_TROB s' e' t'sack /\ 

(ti'o«t'sack) /\ (t ' sack<»tp' suc-1) " 

THENL [ 

% Subgoal 3.1i [ "7t'sack. Sack_Sig_Is_TRUE s' e' t'sack /\ 

ti' <= t'sack /\ 
t'sack <= tp'suc-1" ] * 

CHOOSB_ASSDM_TAC 

"Tt'sack. Sack_Sig_Is_TRUE s' e' t'sack /\ ti' <= t'sack /\ 
t'sack <= (tp'suc - 1)" 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm) ) 
THEN SOBOOAL_THBN 

"7u. ti' <» U /\ U <» (tp'SUC-1) /\ 

STABLE_FALSE_THEN_TRUB (Sack_Sig_Is_TRUE s' o') (ti' 
ASSOMB_TAC 


THENL [ 

% Subgoal 3.1.1i (New Subgoal) % 


,u)" 
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IMP_RBS_TAC FIRSTJSXISTS 
THBN EXISTS_TAC "u'":timeC" 

THEN ASM_RBWRITB_TAC [ ] 

% Subgoal 3. 1.2 i (Continue) % 

CHOOSE_ASSUM_TAC 

"?u. ti' <= u A u <= (tp'euc - 1) A 

STABLB_FALSB_THBN_TRUE(Saek_Sig_IS_TRUB 8' e')(ti',u)" 

THBN POP_ASSUM_LIST (MAP_BVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THBN NRULB_ASSUM_TAC 

("STABLB_FALSE_THBN_TRUB(Sack_Sig_l8_TRUB s' e ' ) tti ' ,u ' ) ", 
(BBTA_RULE o (RBWRXTBJROLB [STABLB_FALSB_THEN_TRUE) ) ) ) 

THBN POP_ASSOM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THBN SUBOOAL_THBN 

"It. NTH_TIMB_TRUB t(ale_sig_ib p')0 ti' ==> 
ale_aig_ib p' ti"' IMP_RBS_TAC 

THBNL [ 

% Subgoal 3. 1.2. It (New subgoal) % 

INDUCT_TAC 

THBN RBWRITB_TAC [ NTH_TIMB_TRUB j STABLE_FALSB_THBN_TRUB ; 

ZBRO_LBSS_BQ] 

THBN RBPBAT STRIP_TAC 
THBN ASM_RBWRITB_TAC [ ] 

/ 

% Subgoal 3. 1.2. 2 i [ "ale_sig_ib p' ti'" J % 

ASM_CASBS_TAC "(ti'+l) <= u" 

THBNL [ 

% Subgoal 3. 1.2. 2. It [ "(ti' + 1) <= u" ] % 

SUBQOAL_THBN 

"STABLB_FALSH_THBN_TRUB (ale_sig_pb e')(ti' + l,tp'suc) ==> 
STABLE _FALSE_THBN_TRUB ( ale_a ig_pb e') (u, tp' sue) " 

IMP_RBS_TAC 
THBNL [ 

% Subgoal 3. 1.2. 2.1. It (New aubgoal) % 

ASSOMB_TAC (SPBCL t"tp'aucttimeC";"l"] SUB_LBSS_EQ) 

THBN IMP_RBS_TAC LESS_BQ_TRANS 

THEN RBWRITB_TAC [STABLE_FALSE_THBN_TRUB] 

THBN RBPBAT STRIP_TAC 
THEN ASM_REWRITB_TAC [] 

THBN SPBC_ASSOM_TAC 

("It. (ti' +1) <* t /\ t < tp'auc •>«> ~ale_eig_pb e' t", 
"t" ttimeC") 

THBN IMP_RES_TAC LBSS_BQ_ TRANS 
THBN RBSJTAC 
I 

% Subgoal 3.1.2.2.1.2: (Continue) % 

ASM_CASBS_TAC "t ' <= u" 

THBNL [ 

% Subgoal 3 . 1 . 2 .2 . 1 .2 . 1 : [ "t' <= u" ] -New_State„Is_PD- % 

IMP_RHS_TAC ( RBWRITB_ROLB [ADD1] LT_IMP_SUC_LB) 

THBN IMP_RBS_TAC NBW_STATB_PD_FROM_TI ' _TO_T ' SACK 
THBN IMP_RBS_TAC IBUS_ALE_IMP_FA 
THBN RBWRITB_ASSOM_TAC 

( "New_State_la_PA s' e ' t ' " , [New_State_Is_PA] ) 

THEN UNDISCH_TAC "New_State_Is_PD s' e' t"' 

THBN ASM_REWRX TB_TAC 

[New_State_Is_PD; 

prove_constructors_distinct p£sm_ty_Axiom] 
l 

% Subgoal 3. 1.2. 2. 1.2. 2: [ "-t' <= u" ] 

-New_P_Rqt_Ia_FALSE -% 

IMP_RB S_TAC NOT_LBSS_BQ_LESS 
THBN IMP_RBS_TAC LT_IMP_LE 
THBN IMP_RES_TAC M_LBSS_0_LBSS 

THBN IMP_RBS_TAC (RIMP (REWRITB_RULB [ORBATBR] ONB_LBSS_EQ) ) 
THBN ASSDMB_TAC (SPBCL t"tp' sue: timeC" J "1"] SUB_LESS_EQ) 
THBN IMP_RBS_TAC LBSS_EQ_TRANS 

THBN IMP_RBS_TAC (RBWRITE_ROLB tPRB_S0B13 LE_PRE_IMP_LT ) 
THBN RBWRITB_ASSUM_TAC 

( "STABLE_FALSB_THBN_TRUB ( Sack_Sig_l8_TRUB 8 ' e ' ) 

(ti',u)", 

[STABLB_FALSE_THBN_TRUB] ) 
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THEN POP_ASSUM_LIST (MAP_BVERY { \thm. STRIP_ASSUME_TAC thm)) 
THEN IMP_RES_TAC NEW_P_RQT_FALSB_FROM_T ' SACK_TO_TP ' SUC 
THEN IMP_RBS_TAC IBUS_ALE_IMP_NBW_P_RQT 
THEN RES_TAC 

3 

3 

; 

% Subgoal 3.1.2.2.2s [ + 1) <= u" 3 -contradiction- % 

IMP_RES_TAC NOT_LESS_BQ_LESS 

THEN IMP_RES_TAC (REWRITE_ROLE [ADD1] LT_SUC_IMP_LB ) 

THEN IMP_RBS_TAC LESS_BQOAL_ANTISYM 
THEN IMP_RES_TAC IBUS_ALB_IMP_PA 
THEN RBWRITE_ASSUM_TAC 

("STABLE_FALSB_THBN_TRlTB(Saek_Sig_Is_TRUB a' e') 

(ti',u)", 

[STABLE_FALSB_THBN_TRUE] ) 

THEN POP_ASSUM_LIST (MAP_EVERY ( \ thm. STRIP_ASSUME_TAC thm)) 

THEN SUBQOAL_THSN 

"Sack_Sig_Is_TRUE s' a' u =»> New_State_Is_PD a' a' u" 
IMP_RBS_TAC 

THENL [ 

% Subgoal 3.1.2.2.2.1t 

"Sack_Sig_ls_TRUE s' a' u »»> New_state_la_PD a' a' u" % 
REWRITB_TAC [Sack_Slg_Ia_TRUB] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THEN ASM_REWRITB_TAC [ ] 

; 

% Subgoal 3.1.2.2.2.2s (Continue) % 

REWRITB_ASSUM_TAC 

( "New_State_Ia_PD s' a' u", [New_Stata_Xs_PDJ ) 

THEN UNDISCH_TAC "Naw_Stata_Ia_PA 8' a' ti"' 

THEN FILTER _ASM_REWRITB_TAC 

(\tm. not (tm » "(ustimaC) = ti'")) 

(Naw_Stata_Ia_PA; 

SYM_ROLB (prova_conatructors_distinct pf am_ty_Axiom) 3 
3 
3 
3 
3 

% subgoal 3.2s [ "-(Tt'saek. Sack_Sig_Ia_TRUE s' a' t'aack A 

ti' <= t'aack A 
t'aack <■ tp'suc-1)" 3 * 

DNDISCH_TAC "STABLB_FALSE_THEN_TRUB (ale_sig_pb e')(ti' + l.tp'suc)" 

THEN REWRITB_TAC [ STABLE_FALSE_THEN_TRUE 3 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THEN SUB GO AL_ THEN 

"STABLE_FALSE (Sack_Sig_Ia_TRUE a' a') ( ti' , tp ' suc-1) " ASSUME_TAC 
THENL [ 

% Subgoal 3.2.1s 

"STABLB_FALSE (Sack_Sig_Ia_TRUE s' a' ) (ti' , tp'auc - 1)" % 
REWRITB_TAC £STABLE_FALSE] 

THEN BBTA_TAC 

THEN IMP_RBS_TAC LESS_LBSS_EQ_TRANS 
THEN IMP_RBS_TAC LT_IMP_LE 
THEN ASM_RBWRITE_TAC ( ] 

THEN GBN_TAC 

THEN UNDISCH_TAC "-(Tt'saek. Sack_Sig_Ia_TRUB s' a' t'aack /\ 
ti' <= t'aack A 
t'aack <= (tp'auc-1))" 

THEN RBWRITE_TAC 

[NOT_EXISTS_CONV "-(Tt'saek. Sack_Sig_Is_TRUE a' a' t'aack A 
ti' <« t'aack A t'aack <= (tp' suc-1) ) 
DE_MOROAN_THM] 

THEN QUANT_OUT_IMP_TAC 
THEN EXISTS_TAC "t " s timaC" 

THEN REPEAT STRIPJTAC 
THEN RES_TAC 

» 

% Subgoal 3.2.2s 
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[ "STABLE_FALSE(Sack_Sig_Is_TRUB 8' e ' ) (ti ' , tp' sue - D" ] % 
UNDISCH_TAC "ale_sig_ib p' t ' " 

THEN UNDISCH_TAC "-(?t'sack. Sack_Sig_Is_TRUE s' e' t'sack A 

ti' <= t'sack A 
t'sack <= (tp'suc-1))" 

THEN REWRITE_TAC 

[NOT_EXISTS_CONV "~(? t'sack. Sack_Sig_Is_TRUE s' e' t'sack A 
ti' <= t'sack A t'sack •<= (tp'suc-1))"; 
DB_MORQAN_THM ] 

THEN QUANT_OUT_IMP_TAC 
THEN BXXSTS_TAC "t'ttimeC" 

THEN SUBOOAL_THBN 

"-ti' <= t' \/ ~t ' <= (tp'suc-1) = 

~(ti' <= t' A t' <= (tp'suc-1))" 

( \thm. REWRI TE_TAC [thm]) 

THENL [ 

% Subgoal 3. 2. 2. It -New subgoal - 

"-ti' <= t'sack \/ -t'sack <= (tp'suc-1) = 

~(ti' <= t'sack A t'sack <= (tp'suc-1))" % 

BOOL_CASBS_TAC "ti' <= t ' " 

THEN BOOL_CASBS_TAC "t ' <= (tp'SUC-1)" 

THEN ASM_RBMRITE_TAC[] 

; 

% Subgoal 3 . 2 . 2 . 2 % 

SUBOOAL_THEN 

"la b. a \/ b ■ b \/ a" (\thm. PURE_ONCE_RBWRITE_TAC [thm] ) 

THENL [ 

% Subgoal 3. 2. 2. 2. It "la b. a \/ b = b \/ a" % 

RBPBAT <JBN_TAC 

THEN BOOL_CASES_TAC "atbool" 

THEN BOOL_CASES_TAC "btbool" 

THEN ASM_REWRI TE_TAC [ ] 

I 

% Subgoal 3. 2. 2. 2. 2 % 

RBWRITB_TAC [SYM_RULE IMP_DISJ_THM] 

THEN RBPBAT STRIP_TAC 
THEN StJBGOAL_THEN 

"It. NTH_TIME_TRDE t(ale_sig_ib p')0 ti' ==> 
ale_sig_ib p' ti'" IMP_RES_TAC 

THENL [ 

% Subgoal 3. 2. 2. 2. 2. It (New subgoal) % 

INDOCT_TAC 

THEN REWRI TE_TAC [NTH_TIME_TROB ; STABLE_FALSE_THEN_TRUK ; 

ZERO_LBSS_EQ] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC [ ] 

; 

% Subgoal 3. 2. 2. 2. 2. 2 (Continue) % 

IMP_RES_TAC ( REWRI TE_RULB [ADD1] LT_IMP_SUC_LB ) 

THEN ASSUME _TAC (SPECL [ "tp ' sue t timeC"; "1"] SUB_LBSS_EQ) 
THEN IMP_RBS_TAC LESS_EQ_TRANS 

THEN IMP_RES_TAC NEW_STATB_PD_PROM_TI '_TO_T ' SACK_1 
THEN UNDISCH_TAC "New_State_Is_PD s' e' t" 

THEN IMP_RE S_TAC 

(REWRITE_RULE [New_State_Is_PA] IBUS_ALB_IMP_PA) 

THEN ASM_RBWRITE_TAC 

[New_State_Is_PD; 

prove_constructors_distinct p£sm_ty_Axiom] 


let NTH_TIME_TRUE_X_IMP_X * TAC_PROOF 

(((], 

"1 (n tnum) (t ttime) (x ttime->bool) . 

NTH_TIMB_TRUE n X 0 t =■> X t") , 

INDUCT_TAC 

THEN REWRITE_TAC [NTH_TIME_TRUE > STABLE_FALSE_THEN_TRUE ] 
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THEN REPEAT STRIP_TAC 

THEN RBS_TAC 

THEN ASM_RBWRITB_TAC [ ] 

) II 

let NTH_TIMB_FALSB_X_IMP_NOT_X = TAC_PROOP 

(([], 

"I (n mum) (t (time) (x itime->bool) . 

NTH_TIMB_FALSE n X tO t ==> -X t")/ 

INDUCT_TAC 

THEN RBWRITB_TAC [NTH_TIME_FALSE j STABLB_TRUB_THEN_FALSE ) 

THEN REPEAT STRIP_TAC 

THEN RBS_TAC 

THEN ASM_REWRITB_TAC [ ] 

) i; 

let TRANS_ONB_TO_ONE = TAC_PROOF 

((Cl, 

"l (ti' tp'euc itimeC) (t itimeT) 

(s' :timeC->pc_state) (o' itimec->pc_env) (p' i t imeC - >pc_out ) 

(s t timeT->pt_stat« ) (a itimeT->pt_env) (p itlmeT->pt_out) . 

PCSet_Correct s' e' p' ==> 

(tp' > 0) ==> 

PT_Exec ptl sept ==> 

PT_ProC pti sept ■=> 

PStateAbs ptl septs'e'p’tp' ==> 

PB_Slave pti a p t e' p' tp' ==> 

IBA_PMaster ptl a p t a' p' ==> 

Rst_Slave pti ate' ==> 

NTH_TXME_TRUE t (ale_sig_pb o') 0 tp' ==> 

STABLE_PALSE_THBN_TRtJB (ale_sig_ib p') (tp'.ti') ==> 

TROB_THBN_STABLB_FALSE ( ale_s ig_pb e ' ) ( tp ' , t i ' ) " ) , 

REWRITB_TAC [STABLB_FALSE_THBN_TRUB; TROB_THBN_STABLE_FAI.SE] 

THEN BBTA_TAC 

THEN RBPBAT STRIP_TAC 

THEN IMP_RBS_TAC NBW_STATE_PD_FALSE_FROM_TP '_TO_TI ' 

THEN XMP_RES_TAC NTH_TIMB_TRUE_X_IMP_X 
THEN ASM_RBWRXTE_TAC [] 

THEN NRULB_ASSUM_TAC 

( " ! t 1 ' . STABLE_FALSB(ale_sig_ib p')(tp',ti' - 1) ==> 

(It', tp' <= t ' «»> t' <= ti' «=> ~New_State_Is_PD s' e' t')", 
( (REWRITE_RUIjE [STABLB_FALSE] ) o (SPEC "ti' itimeC") ) ) 

THEN XMP_RBS_TAC LBSS_LBSS_EQ_TRANS 
THEN IMP_RES_TAC (RIMP ONB_LBSS_EQ) 

THEN IMP_RBS_TAC LT_IMP_LB 
THEN IMP_RBS_TAC LESS_BQ_TRANS 

THEN IMP_RES_TAC (REWRITB_RULB [PRB_SOBl] LT_IMP_LB_PRE ) 

THEN RBS_TAC 
THEN SUBOOAL_THEN 

"(It. tp' <= t /\ t <■ (ti' - 1) =*> -ala_sig_ib p' t)" ASSUME_TAC 

THBNIi [ 

% Subgoal li "It. tp' <- t A t <= (ti' - 1) ==> ~ala_sig_ib p' t" % 
OEN_TAC 

THEN SPBC_ASSDM_TAC 

("It. tp' <» t A t < ti' =»> -ale_s ig_ib p' t", "t " itimeC") 

THEN ASM_CASBS_TAC "tp' <= t"" 

THEN ASM_CASES_TAC "t" <- (ti'-l)" 

THEN ASM_REWRITB_TAC [ ] 

THEN IMP_RBS_TAC 

( REWRITE_RULE 

[PRE_S0B1] ( SPBCL ("t " i timeC"; "ti ' itimeC") LE_PRE_IMP_LT) ) 

THEN RBS_TAC 

I 

% Subgoal 2t (Continue) % 

ASM_REWRITB_ASSOM_TAC 

("(It. tp' <« t A t < = (ti' - 1) e=> -ale_sig_ib p' t) ==> 

(It', tp' <= t' =-> t' <« ti' ==> -New_State_Is_PD s' e' t')",[]) 

THEN SDBOOAL_THEN 

"LESS_THAN_N_TIMBS_FALSB 0 (bsig L_ready_0 p') tp' ti'" ASSOMB_TAC 

THENL [ 

% Subgoal 2.1i (New subgoal) % 

REWRITB_TAC [LESS _THAN_N_T IME S_F AL S E ) STABLE_TROE ;bsig;BSel] 
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THEN BETA_TAC 

THEN ASM_RBWRITE_TAC [ ] 

THEN GBNJTAC 
THEN SPEC_ASSUM_TAC 

("It*, tp' <= t' ==> t' <= ti ' ==> ~New_State_Is_PD s' o' t'", 

"t ' ' ttimeC") 

THEN ASM_CASES_TAC "tp' <= t" /\ t" <= ti'" 

THEN ASM_RBWRITB_TAC[] 

THEN POP_ASSUM_LIST ( MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm) ) 

THEN RES_TAC 

THEN IMP_RBS_TAC L_ready_ISO 

THEN REWRITE_ASSUM_TAC ( "~New_Stato_IS_PD s' o' t " ", [Now_Stato_Ia_PD] ) 
THEN ASM_RBWRITE_TAC[] 

I 

% subgoal 2.2t (Continue) % 

SUBQOAL_THBN 

"!n. LBSS_THAN_N_TIMES_FALSE 0 (bsig L_roady_0 p')tp' ti' ==> 
LESS_THAN_N_TIMES_FALSE n(bsig L_roady_0 p')tp' ti'" 

IMP_RES_TAC 
THENL [ 

% Subgoal 2. 2. It (New subgoal) % 

INDUCT_TAC 
THEN DISCH_TAC 
THEN RES_TAC 

THEN ASM_RBWRITE_TAC [LBSS_THAN_N_TIMES_FALSB] 

; 

% Subgoal 2.2.2t (Continue) % 

IMP_RES_TAC PB_RBQUBST_ASSUMPS 
THEN SPEC_ASSOM_TAC 

("!n. LBSS_THAN_N_TIMES_FALSE n(bsig L_ready_0 p')tp' ti'", 
"VAL 1 ( SUBARRAY ( BSe 1 ( L_ad_inB ( e ' (tp' ttimeC) ))) (1, 0) ) ") 

THEN RES_TAC 

THEN REWRITE_ASSUM_TAC 

(«STABLE_FALSE(ale_sig_pb e')(tp' + l,ti'+l) ", [STABLB_FALSE] ) 
THEN POP_ASSUM_LIST (MAP_EVERY ( \thm. STRIP_ASSOME_TAC thm) ) 

THEN SPBC_ASSDH_TAC 

("It. (tp' +1) <m t /\ t <u (ti' + 1) ~ale_sig_pb e' t", 

"t' ttimeC") 

THEN ASSUMB_TAC (SPBCL ["ti' ttimeC " } "1"] LBSS_EQ_ADD) 

THEN IMP_RES_TAC LBSS_EQ_TRANS 

THEN IMP_RES_TAC ( REWRITB_RULE [ADD1] LT_IMP_SOC_LB ) 

THEN RBS_TAC 

] 

] 

] 

);> 

let PRXOR_EVENTS_EXIST = TAC_PROOF 

( m, 

"1 (n m tnum) (x ttime->bool) (t ttime) . 

NTH_TIME_TRUB n X 0 t ««> 

(m < n) ==> 

(?t'. t' < t /\ NTH_TIME_TRUE m X 0 t')"), 

XNDUCT_TAC 
THENL [ 

% Subgoal It (Base Case) % 

REPEAT STRIP_TAC 

THEN ASSOMB_TAC (SPEC "mtnum" ZBRO_LESS_EQ) 

THEN XMP_RBS_TAC LESS_EQ_ANTISYM 

J 

% Subgoal 2t (Induction Step) % 

RBWRITE_TAC [NTH_TXMB_TRUE] 

THEN REPEAT STRIP_TAC 

THEN RBS_TAC 

THEN REWRITE _ASSOM_TAC 

( "STABLE _FALSE_THEN_TRUE x(t' + 1, t) ", [STABLE_FALSE_THEN_TRDE] ) 

THEN POP_ASSUM_LIST (MAPJSVERY ( \thm. STRIP_ASSUME_TAC thm) ) 

THEN IMP_RES_TAC ( REWRITE_RULE [AUDI] SOC_LE_IMP_LT) 

THEN ASM_CASBS_TAC "(mtnum) = n" 

THENL [ 

% Subgoal 2. It [ "m = n" ] % 

EXXSTS_TAC "t ' t time" 
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THEN ASM_RBWRITE_TAC[] 

1 

% Subgoal 2.2: [ "~(m = n) " ] % 

IMP_RBS_TAC NOT_EQ 
THENL [ 

% Subgoal 2 . 2 . 1 i [ "m < n" ] % 

IMP_RES_TAC LESS_EQ_ANTISYM 
THEN RES_TAC 
THEN BXXSTS_TAC 
THEN IMP_RES_TAC LESS_TRANS 
THEN ASM_HEWRITE_TAC [ ] 

; 

% Subgoal 2.2.2: [ "n < m" ] % 

IMP_RES_TAC LT_SUC_IMP_LE 

THEN IMP_RBS_TAC LESS_EQ_ANTISYM 

] 

] 

3 

);; 

let NTH_TRANS_CAUSAL = TAC_PROOF 

(([], 

"! (t itimeT) (tp' ti ' ttlmeC) (e' itimeC->pc_env) (p' :timeC->pc_out) 

(pti :PTI) . 

PCSet_Correct s' e' p' ==> 

PTAbsSet saps' e ' p' ==> 

(tp' > 0) ==> 

PT_Exec pti sept ==> 

PT_PreC pti sept ==> 

PStateAbs pti s e p t s' e' p' tp' ==> 

IBA_PHaster pti e p t e' p' ==> 

Rst_Slave pti e t e' ==> 

NTH_TIMB_TRUE t (ale_sig_pb e') 0 tp' ==> 

NTH_TIMB_TRUE t (ale_sig_ib p') 0 ti' ==> 

(tp' <* ti')"), 

INDtJCT_TAC 
THENL [ 

% Subgoal 1: (Base Case) % 

REPEAT STRIP_TAC 

THEN ASM_CASES__TAC "tp' <= ti'" 

THBN ASM_REWRITB_TAC [ ] 

THEN IMP_RES_TAC NOT_LESS_EQ_LESS 
THEN IMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN IMP_RHS_TAC ALE_SIO_IB_FALSE_UPTO_FIRST 

THEN DNDISCH_TAC "NTH_TIME_TROE 0(ale_sig_ib p')0 ti'" 

THEN REWRITE_TAC [NTH_TXMB_TROB;STABLE_FALSE_THEN_TRUE>DE_MOROAN_THM] 

THBN REWRITB_ASSUM_TAC 

( "STABLE_FALSB ( ale_s ig_ib p ' ) ( 0 , tp ' - 1) ", [STABLE_FALSB] ) 

THBN POP_ASSUM_LIST (MAP_EVBRY (\thm. STRIP_ASSOME_TAC thm) ) 

THBN SPBC_ASSUM_TAC 

("It. 0 <= t /\ t <= (tp' - 1) mm> -ale_sig_ib p' t", "ti' :timeC") 
THEN ASSOMB_TAC (SPEC "ti' itimeC" ZERO_LESS_EQ ) 

THEN IMP_RES_TAC ( REWRITE_RULE [PRE_SUB1] LT_IMP_LE_PRE ) 

THBN RES.TAC 

THEN ASM_REWRITE_TAC [ ] 

; 

% Subgoal 2: (Induction Step) % 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC ABS_SET_IMP_ABS 
THEN IMP_RES_TAC PRE_EXEC_PREC 
THBN NRULE_ASSUM_TAC 

("!pti t. PTAbs pti s ept s' e' p'", 

( (REWRITE_ROLE [PTAbs]) o (SPECL [ "ptiO : PTI" ; "t : timeT" ] ) ) ) 

THBN POP_.ASSUM_.LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THEN RES.TAC 
THBN RBS.TAC 

THEN AS SUMB_TAC (SPEC "t: timeT" LESS_SUC_REFL) 

THEN IMP_RBS_TAC PRIOR_BVENTS_EXIST 
THBN RBS.TAC 

THEN IMP_RES_TAC TRANS_ONTO 
THBN SPBC_ASSUM_TAC 

("Itp'suc. STABLE_FALSE_THEN_TRUB(ale_sig_pb e')(t" + l,tp'suc) =-> 
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TRUB_THBN_STABLE_FALSB(ale_sig_ib p ' ) ( t " , tp' sue - 1) ", "tp' :timeC") 
THEN SUBOOAL_THBN 

"STABLE_FALSE_THEN_TRUB(ale_sig_pb e')(tp" + l,tp')" 

ASSOMB_TAC 

THBNL [ 

% Subgoal 2.1: (New Subgoal) % 

REWRITE _ASSUM_TAC 

( "NTH_TIMB_TROB (SUC t) (ale_sig_pb e')0 tp , [NTH_TIME_TRUB] ) 

THEN CHOOSE_ASSUM_TAC 

"?t'. NTH_TIME_TRUE t(ale_sig_pb e')0 t’ A 

STABLE_FALSE_THEN_TRUE ( ale_a ig_pb e')(t' + l,tp' ) " 

THEN POP_ASSOM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thro)) 

THEN SDBOOAL_THBN " (tp' ' : timaC) = t'"" (\thm. ASM_RBWRITB_TAC [thro]) 
THEN IMP_RES_TAC TRUB_BVENT_TIMES_EQUAL 
I 

% Subgoal 2.2: (Continue) % 

ASM_CASBS_TAC "(t"+l) <= tp'" 

THBNL [ 

% Subgoal 2.2.1: [ "<t" + 1) <= tp'" ] % 

IMP_RES_TAC 

(RIMP (SPKCL ["tp" :timeC";"t" :timeC";"l"] LE S S_EQ_MONO_ADD_KQ ) ) 
THEN IMP_RKS_TAC SUB_STABLE_FALSB_THEN_TRUB 
THEN RBS_TAC 

THEN ASM_CASBS_TAC "tp' <= ti'" 

THEN ASM_RBWRITB_TAC[] 

THEN IMP_RBS_TAC NOT_LESS_BQ_LBSS 
THEN IMP_RES_TAC NTH_TIME_TROE_X_IMP_X 
THEN NRULE_ASSUM_TAC 

( "TROB_THBN_STABLB_FALSB ( ale_s ig_ib p ' ) ( t " , tp ' - 1)", 

( BETA_RULB o ( REWRITE_RULE [ TRUE_THEN_STABLE_FALSE ] ) ) ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thro. STRIP_ASSUME_TAC thm) ) 

THEN SPEC_ASSOM_TAC 

("!t. t" < t /\ t <■ (tp'-l) ==> -ale_aig_ib p' t", "ti' :timeC") 
THEN IMP_RBS_TAC TRDE_EVENT_TIMES_MONO 
THEN IMP_RES_TAC LT_IMP_LB 

THEN IMP_RBS_TAC (REWRITE_RULE [PRE_SUB1] LT_IMP_LB_PRE ) 

THEN RBS_TAC 
I 

% Subgoal 2.2.2: [ "-(t" + 1) <= tp'" ) % 

IMP_RBS_TAC NOT_LESS_BQ_LBSS 

THEN IMP_RES_TAC ( RBWRITB_RULE [ADD1] LT_SDC_IMP_LE ) 

THEN IMPURE STAC LESS_BQ_LBSS_TRANS 
THEN IMP_RBS_TAC LT_IMP_LE 
THEN ASM_RBWRITE_TAC [ ] 

] 

] 

] 

) ;; 

let NTH_TRANS_ONB_TO_ONE = TAC_PROOF 

(([], 

"! (t itlmeT) (tp' ti' :tiroeC) 

(s' : timaC- >po_»tate) (e' :tlroeC->po_anv) (p' :timeC->pc_out) 

(s :timeT->pt_atate) (e : timeT->pt_env) (p :timeT->pt_out) 

(pti :PTI) . 

PCSet_Correct e' a' p' ==> 

PTAbaSat s e p s' e' p ' *=> 

(tp' > 0) =»> 

PT_Bxeo pti sept ==> 

PT_PraC pti sept »=> 

PStateAbs pti septs' e'p'tp' ==> 

PB_Slave pti e p t e' p' tp' ==> 

IBA_PMaster pti a p t e' p' ==> 

Rst_Slave pti ate' ==> 

NTH_TIME_TRUE t (ale_sig_pb a') 0 tp' ==> 

NTH_TIME_TROE t (ale_sig_ib p') 0 ti' ==> 

TROE_THEN_STABLE_FALSB (ale_sig_pb e' ) <tp',ti')"), 

INDHCT_TAC 
THBNL [ 

% Subgoal 1: (Base Case) % 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC NTH_TRANS_CADSAL 
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THEN IMP_RES_TAC TRANS_ONE_TO_ONE 
THEN SPEC_ASStJM_TAC 

( " I ti ' . STABLB_FALSB_THBN_TRUB(ale_sig_ib p' ) (tp' ,ti' ) ==> 
TRUB_THEN_STABLE_FALSE { ale_a ig_pb e'> (tp ' , ti ' ) " , "ti ' : timeC") 
THEN RBWRITS_ASSUM_TAC 

("NTH_TIMB_TROB 0 (ala_aig_ib p')0 ti [NTH_TIME_TRUE] ) 

THEN IMP_RES_TAC ORBATER 
THEN IMP_RBS_TAC LT_IMP_LB 

THEN IMP_RBS_TAC SOB_STABLB_FALSE_THBN_TROE 
THEN RBS_TAC 
I 

% Subgoal 2t (Induction Stap) % 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC ABS_SET_IMP_ABS 
THEN IMP_RBS_TAC PRE_EXEC_PRBC 
THEN NRULE_ASSUM_TAC 

("Ipti t. PTAba pti a a p t a' a' p'", 

( ( REWRITE_RULE [PTAba]) o (SPECL ["ptiO i PTI" ; "t I timeT" ] ) ) ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSDMB_TAC thm) ) 

THEN RHS_TAC 
THEN RES_TAC 

THEN ASSOME_TAC (SPEC "t:timeT" IiBSS_SOC_RBFL) 

THEN IMP_RES_TAC PRIOR_BVBNTS_EXIST 
THEN RBS_TAC 

THEN IMP_RES_TAC TRANS_ONE_TO_ONB 
THEN SPEC_ASSUM_TAC 

("Iti'. STABLE_FALSE_THEN_TRUE (ale_aig_ib p') (tp',ti') ==> 
TRDE_THEN_STABLE_FALSE(ala_aig_pb a') ( tp ti "ti timeC") 
THEN ASM_CASES_TAC "t " < tp'" 

THKNL [ 

% Subgoal 2 . 1 s [ "t ' ' < tp ' " ] % 

IMP_RES_TAC LT_IMP_LE 

THEN IMP_RES_TAC NTH_TRANS_CAU SAL 

THEN REWRITE_ASSDM_TAC 

( "NTH_TIME_TRUE ( SDC t) (ale_aig_ib p')0 ti ' [NTH_TIME_TRUE] ) 
THEN CHOOSE_ASSUM_TAC 

"It'. NTH_TIME_TRtJE t (ale_aig_ib p')0 t ' /\ 

STABIiK_FALSB_THEN_TRUE(ala_aig_ib p')(t' + l,tl')" 

THEN POP_ASSOM_LIST ( MAP _E VERY (\thm. STRIP_ASSOME_TAC thm))' 

THEN SOBOOAL_THEN "(t'"ltimeC) = t" " ASSUMB_TAC 
THKNL [ 

% Subgoal 2.1.1i (New subgoal) % 

IMP_RBS_TAC TROE_EVE NT_T IMS S_EQU AL 

; 

% Subgoal 2.1.2i (Continua) % 

ASM_RBWRITB_ASSUM_TAC 

( "STABLE_FALSE_THEN_TRtrB ( ala_aig_ib p ' > ( t ' ' ' + l,ti')", []) 

THEN IMP_RBS_TAC (RBWRITE_ROLE [ADD1] LT_IMP_SUC_LB ) 

THEN IMP_RES_TAC SOB_STABLE_FALSE_THEN_TRUE 
THEN RES_TAC 

] 

I 

% Subgoal 2.2t [ "~t'' < tp'" ] -contradiction- % 

IMP_HBS_TAC NOT_LBSS 

THEN IMP RB S TAC TROE_BVENT_TIMRS_MONO 
THEN IMP_RES_TAC NTH_TIMB_TROB_X_IMP_X 
THEN RBWRITB_ASSOM_TAC 

( "TRDB_THBN_STABLE_FALSE ( ala_aig_pb a ' ) ( tp " , t " ) " , 
[TROB_THBN_STABLE_FALSK] ) 

THEN POP_ J ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN SPEC_ASSUM_TAC 

("It. tp'' < t /\ t <« t" ==> ~ala_alg_pb a' t", "tp' itimaC") 
THEN RES_TAC 

] 

] 

); j 

lat NTH_TRANS_ONTO = TAC_PROOF 

(( [], 

"1 (t itimaT) (tp' tp' ' ti'' itimeC) 

(a' itimaC->pc_atate) (a' <timaC->pc_anv) (p' ttimaC->pc_out) 
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(s itimeT->pt_state) (e i timeT->pt_env) (p itimeT->pt_out) 

(pti iPTI) . 

PCSet_Correct s' a' p' ==> 

PTAbsSet s e p s' e' p' »> 

(tp' ' > 0) «=> 

PT_Exec pti sept ==> 

PT_PreC pti s apt ==> 

PStateAbs pti s apt s' a' p' tp" ==> 

PB_Slave pti a p t a' p' tp' ' ==> 

IBA_PMaster pti a p t a' p' ==> 

Rst_Slave pti ate' ==> 

NTH_TIME_TRUE t (ale_sig_ib p') 0 ti" ==> 

NTH_TIMB_TRUE t (ale_sig_pb a') 0 tp" ==> 

NTH_TIME_TROB (SUC t) (ale_sig_pb a') 0 tp' ==> 
TRUE_THEN_STABLB_FALSB (ala_sig_ib p') (ti " , tp ' -1) ") , 

RBPBAT STRIP_TAC 

THEN IMP_RB S_TAC TRANS_ONTO 

THEN SPEC_ASSOM_TAC 

( " ! tp ' sue . STABLE_FALSB_THEN_TROE(ale_sig_pb a' ) (ti " +1, tp' sue) ==> 
TRUB_THBN_STABLE_FALSB ( ala_s ig_ib p') (ti" ,tp'suc-l) ", "tp' ttimeC") 
THEN IMP_RBS_TAC NTH_TRANS_CAOSAL 

THEN ASSOME_TAC (SPECL ["ti" ttimeC"; "1"] LESS_EQ_ADD) 

THEN IMP_RBS_TAC LESS_EQ_TRANS 
THEN IMP_RBS_TAC TRUE_EVBNT_TIME S_MONO 
THEN IMP_RES_TAC NTH_T I ME_ TRUB_X_ IMP__X 
THEN REWRITE _ASSUM_TAC 

( "NTH_TIME_TRUE ( SOC t ) (ala_sig_pb e')0 tp ' ", [NTH_TIME_TRUE] ) 

THEN CHOOSB_ASSUM_TAC 

"?t'. NTH_TIMB_TROE t(ale_aig_pb e')0 t' /\ 

STABLE_PAI,SB_THEN_TRtJE ( ale_s ig_pb a')(t' + l,tp')" 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN SOBOOAL_THEN "(t'ltimaC) = tp"" ASSUME_TAC 
THENL [ 

% Subgoal It (New subgoal) % 

IMP_RBS_TAC TRUB_BVENT_TXMBS_EQUAL 

; 

% Subgoal 2 t (continue) % 

ASM_REWRI TE_AS SUM_TAC 

( "STABLE_PALSE_THEN_TROE ( ala_s ig_pb e')(t’ + i,tp')",[)) 

THEN ASM_CASES_TAC "(ti" + 1) <= tp'" 

THENL [ 

% Subgoal 2. It [ "(ti" + 1) <= tp'" ] % 

IMP_RBS_TAC 

(RHa> (SPECL ["tp" ttimeC";"ti" ttimeC"("l"l LESS_EQ_MONO_ADD_EQ ) ) 
THEN IMP_RES_TAC SUB_STABLE_FALSE_THEN_TROE 
THEN RBS.TAC 

) 

% Subgoal 2.2t [ "~(ti" + 1) <a tp'" ] % 

IMP_RES_TAC NOT_LESS_EQ_LESS 

THEN IMP_RES_TAC ( REWRITE_RDLE [AUDI] LT_SUC_IMP_LE ) 

THEN IMP_RES_TAC NTH_TRANS_ONE_TO_ONE 
THEN RBWRITB_ASSUM_TAC 

( "TRDB_THBN_STABLB_FALSE ( ale_sig_pb a ' ) ( tp " , t i " ) * , 
[TRUB_THEN_STABLB_FALSE] ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPEC_ASSOM_TAC 

("It. tp' ' < t A t <= ti" ==> -ale_sig_pb a' t", "tp' t timeC") 
THEN IMP_RES_TAC TRUE_EVENT_TIME S_MONO 
THEN RES_TAC 

] 

) 

);; 

let NTH_IBUS_TRANS_EXISTS = TAC_PROOF 

(( [], 

"l (t ttimeT) (pti tPTl) 

(s itimaT->pt_stata) (a ttimeT->pt_anv) (p t timeT->pt_out) 

(s' ttimac->pc_#tata) (a' ttimaC->pc_env) (p' ttimeC->pc_out) 

(tp' ttimaC) 

PCSat_Corract s' a' p' ■=> 

PTAbsSet s a p s' a' p' ==> 

PT_Exac pti sept ==> 
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PTJPreC pti s e p t ==>• 

(?ti'ttimeC. NTH_TIMB_TRCE t (ale_sig_ib p') 0 ti' /\ ti' > 0)"), 
INDUCT_TAC 

THEN REPEAT STRIP_TAC 
THENL [ 

% Subgoal It (Bass Casa) 

IMP_RES_TAC ABS_SBT_IMP_ABS 
THEN NRtJLB_ASSUM_TAC 

("Ipti t. PTAbs pti s a p t s' a' p'", 

( (RBWRITB_RULE [PTAbs]) o (SPECL ["ptitPTI"; "0"] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSOMB_TAC thm) ) — 

THEN RES_TAC 
THEN RBS_TAC 
THEN ASM_CASBS_TAC 

"-ELEMENT (PST ( L_ad_inE (a' tp ' ) ) ) 31 /\ New_State_Is_PA a' a' tp'" 
THEN IMP_RES_TAC (RXMP ONE_LESS_EQ) 

THEN PURB_ONCE_REWRITE_ASStJM_TAC 

("1 <« tp'", [SYM_RtJLE (REDUCE_CONV "0+1")]) 

THEN IMP_RES_TAC SUC_LB_IMP_LE 
THEN XMP_RES_TAC (R1MP ONE_LESS_SQ) 

THBNL [ 

% Subgoal l.lt "?ti'. NTH_TIME_TRtIB 0(ala_sig_ib p')0 ti' /\ ti' > 0" 

[ "-ELEMENT (FST ( L_ad_inE ( a ' tp')))31 /\ 

New_State_Is_PA s' a' tp'" ] % 

POP_ASSOM_LIST (MAPJSVBRY (\thm. STRIP_ASSOMB_TAC thm)) 

THEN IMP_RES_TAC ALE_SIG_IB_TRUE_ON_TP ' 

THEN EXISTS_TAC "tp' ttimaC" 

THEN ASM_RBWRITE_TAC [NTH_TIME_TRUE j STABLB_FALSE_THEN_TRUE] 

THEN IMP_RES_TAC ALE_SIG_IB_FALSE_UPTO_FIRST 
THEN NROLE_ASSUM_TAC 

("STABLE_FALSE (ala_sig_ib p')(0,tp' - 1)", 

(BETA.RULE o (REWRITE_ROLE [STABLE_FALSE] ) ) ) 

THEN POF_ASSUM_LIST <MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THEN QEN_TAC 
THEN ASSUMB_TAC 

(SPECL ["titimaC";"tp' ttimaC"] 

(REWRITB_RTJLE [PRB_SUBl] LT_KQ_LB_PRE ) ) 

THEN RBS_TAC 

THEN ASM_REWRITE_TAC [] 

I 

% Subgoal 1.2t "?ti'. NTH_TIME_TRUE 0(ala_sig_ib p')0 ti' /\ ti' > 0" 

[ "- ( -ELEMENT (FST (L_ad_inE (a' tp ' ) ) ) 3 1 /\ 
Naw_Stata_Xs_PA s' a' tp')" ] % 

IMP_RBS_TAC ALE_SIG_IB_TRUB_AFTBR_TP ' 

THEN IMP_RES_TAC ALE_SIO_IB_FALSE_UPTO_FXRST 

THEN IMP_RES_TAC SOP_INTERVAL_STABLE_FALSB_THEN_TRUE 

THEN IMP_RES_TAC (SPECL ["tp' t timeC"; "1" J StIB_ADD) 

THEN ASSDMB_TAC (SPEC "tp' ttimaC" LESS_EQ_REFL) 

THEN RBWRITB_ASSUM_TAC 

("STABLB_FALSB_THEN_TROE(ala_sig_ib p') (tp',ti')", 
[STABLE_FALSE_THEN_TR0B] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN ASM_REHRXTE_ASSOM_TAC 

("tp' <= ((tp' - 1) +1) ==> 

0 <= ti' ==> 

STABLE_FALSE_THEN_TRUE (ale_sig_ib p' ) (0,ti' ) ", [] ) 

THEN IMP_RES_TAC (LIMP ONE_LESS_EQ ) 

THEN BXISTS_TAC "ti' ttimaC" 

THEN ASM_REWRXTE_TAC [NTH_TIME_TRUE ) 


% Subgoal 2t (Induction Stsp) % 

IMP_RES_TAC PRE_EXEC_PREC 
THEN RES_TAC 

THEN IMP_RES_TAC ABS_SET_XMP_ABS 
THEN NRULB_ASSDM_TAC 

("Ipti t. PTAbs pti sept s' e'p'", 

( (REWRITE_RULE [PTAbs]) o (SPECL ["pti t PTI"} "SOC t"] ) ) ) 
THEN IMP_RES_TAC ABS_SBT_IMP_ABS 
THEN NROLE_ASStJM_TAC 
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("!pti t. PTAbs pti 8 e p t s' e' p"', 

( (REWRITE_RULB [PTAbs]) o (SPBCL ["ptiO ! PTI" j "t : timeT" ] ) ) ) 

THEN POP JASSOM_LIST (MAP_BVERY ( \thm. STRIP_ASSOME_TAC thm) ) 

THEN RBS_TAC 
THEN RES_TAC 
THEN ASM_CASBS_TAC 

"-ELEMENT (FST(L_ad_inB (e' tp'))) 31 /\ N*w_State_Is_PA s' e' tp'" 
THEN IMP_RES_TAC (RIMP ONE_LBSS_EQ ) 

THEN PURE_ONCE_REWRITB_ASSOM_TAC 

("1 <= tp'", [SYM_RULE (REDUCE_CONV "0+1")]) 

THEN IMP_RES_TAC SOC_LE_IMP_LE 
THEN IMP_RES_TAC (RIMP ONE_LESS_EQ) 

THENL [ 

% Subgoal 2.1i "?ti' .NTH_TIME_TRUB(SUC t) (ala_sig_ib p')0 ti' /\ ti'>0" 
[ "-ELEMENT (FST ( L_ad_inE ( e ' tp')))31 /\ 

Naw_State_Is_PA s' e' tp'" ] % 

EXISTS_TAC "tp' itimeC" 

THEN ASM_REWRITE_TAC [NTH_TIME_TROE ] 

THEN EXISTS_TAC "ti' ' itimeC" 

THEN ASM_REWRITE_TAC [ STABLE_FALSE_THEN_TROE ] 

THEN IMP_RES_TAC NTH_TRANS_ONTO 
THEN NROLB_ASSUM_TAC 

( "TRUB_THBN_STABLE_FALSE ( ale_sig_ib p ' ) ( ti " , tp ' - 1 ) " , 
(BETA_ROLE o (RBWRITB_RULE [TRUB_THEN_STABLB_FALSE] ) ) ) 

THEN POP_ASStJM_LIST (MAP_BVBRY ( \thm. STRIP_ASSUME_TAC thm) ) 

THEN ASSOME.TAC 

( SPBCL t"ti":timaC">"tp'-l"»"l"] (SYM_RULB LESS_EQ_MONO_ADD_EQ) ) 
THEN IMP_RES_TAC (SPECL t"tp> ttimeC"; "1"] SUB_ADD) 

THEN ASM_RBNRITE_ASSOM_TAC ("ti" <= (tp' - 1)",[]) 

THEN IMP_RBS_TAC ALE_SIO_IB_TROE_ON_TP ' 

THEN ASM_REWRITE_TAC [ ] 

THEN OBN_TAC 
THEN SPBC_ASSUM_TAC 

("It. ti" < t' /\ t' <= (tp' - 1) ==> ~ale_sig_ib p' t", 

"t' itimeC") 

THEN IMP_RBS_TAC 

(SPECL ["t' itim«C";"tp' itimeC"] 

(REWRITE_RDLE [PRE_SUB1] LT_EQ_LE_PRE ) ) 

THEN ASM_RBWRITB_TAC 

[RENRITE_RULB [ADD1] 

(SPECL ["ti" itimeC"j"t' itimeC"] (SYM_R0LE LT_EQ_SUC_LE ) ) ] 
THEN ASM_CASBS_TAC "ti" < t' /\ t' <= (tp' - 1)" 

THEN POP_ASStJM_LIST ( MAP _B VERY ( \thm. STRIP_ASSOME_TAC thm)) 

THEN RBS.TAC 

THEN ASM_REWRITE_ TAC [ ] 

I 

% Subgoal 2.2i "?ti'. NTH_TIME_TROE ( SUC t) (ale_sig_ib p')0 ti' /\ ti' > 0" 
[ " - ( -ELEMENT ( PST ( L_ad_inE ( e ' tp')))31 /\ 

New_State_Is_PA s' e' tp')" ] % 

REWRITB_TAC [NTH_TIMB_TRUB ; STABLE_PALSE_THEN_TROE > SYM_RULE ONE_LESS_EQ ] 
THEN IMP_RBS_TAC ALE_SIO_IB_TRUE_APTBR_TP ' 

THEN BXISTS_TAC "ti"" itimeC" 

THEN IMP_RES_TAC NTH_TRANS_ONTO 
THEN NROLE_ASSOM_TAC 

( " S TABLE_P ALSE_THBN_TROE ( ale_s ig_ib p ' ) ( tp ' , t i " " ) " , 

(BETA_RULB o (REWRITE_ROLB [STABLE_FALSE_THBN_TRUB] ) ) ) 

THEN NROLB_ASSOM_TAC 

("TROE_THBN_STABLB_PALSE(ale_sig_ib p') (ti",tp' - 1)", 
(BBTA_R0LB O ( REWRITE_ROLE [ TRUE_THEN_STABLE_FALSE ] ) ) ) 

THEN POP_ASSDM_LIST (MAP_BVBRY (\thm. STRIP_ASSOME_TAC thm)) 

THEN IMP_RES_TAC (SPBCL ["tp' itimeC"; "1"] SUB_ADD) 

THEN ASM_RBWRITE_ASSOM„TAC 

("ti" <= (tp' - 1)", 

[SYM_ROLE (SPECL ["ti " itimeC"; "tp' -1"; "1"] 

LBSS_BQ_MONO_ADD_EQ ) ] ) 

THEN IMP_RES_TAC LESS_BQ_TRANS 
THEN ASM_RBWRITE_TAC [] 

THEN BXISTS_TAC "ti" itimeC" 

THEN ASM_REWRITE_TAC [] 

THEN OEN_TAC 

THEN ASM_CASES_TAC "(ti" + 1) <= t' /\ t' < ti""" 

THEN ASM_REWRITE_TAC [ ] 
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THEN ASM_CASBS_TAC "t ' <= tp' - 1" 

THEN POP_ASSUM_LIST (MAP_3VERY (\thm. STRIP_ASSUMB_TAC thm) ) 

THBNL [ 

% Subgoal 2.2.1i [ "t' <= (tp' - D" ] % 

SPBC_ASSUNLTAC 

("!t. ti" « t /\ t <« (tp'-l) ==> ~ale_sig_ib p' t","t' itimeC") 
THEN ASSOMB_TAC 

( PURE_ONCE_REWRITE_RULE 

IADD_SYM] (SPECL ["1"; "ti " : timeC"] LESS_BQ_ADD) ) 

THEN XMP_RES_TAC LBSS_BQ_TRANS 
THEN IMP_RES_TAC 

(SPECL ("ti" itimeC"/"t' itimeC") 

(REWRITE_RULB [ADD1] SUC_LE_IMP_LT ) ) 

THEN RES_TAC 

I 

% Subgoal 2.2.2i [ "~t' <= (tp' - 1)" ] % 

IMP_RES_TAC NOT_LESS_EQ_LESS 
THEN SPEC_ASSDM_TAC 

("It- tp'<=t /\ t<tl'"' ==> ~ale_aig_ib p' t", "t' itimeC") 
THEN XMP_RES_TAC (RBWRXTB_RULB [PRB_SOBl] PRE_LT_IMP_LE ) 

THEN RES_TAC 

] 

] 

] 

) II 

let TRANS_TIMBS_BQUAL - TAC_PROOP 

(([], 

"1 (t ttlmeT) (a itimeT->pt_atate) (a itimeT->pt_env) (p : timeT->pt_out ) 

(a' !timeC->pc_atate) (•' (tlmac->-pc_env) (p' itimeC->pc_out) 

(tp' ttimeC) (ti' itimeC) (pti iPTI) . 

PCSet_Correct a' e' p' =«> 

PTAbaSet a a p a' e' p' =«> 

NTH_TXME_TROE t (ale_aig_pb a') 0 tp' ==> 
tp' > 0 >» 

NTH_TIME_TROB t (ale_sig_ib p') 0 ti' 

PT_Exac pti a a p t *=> 

PT_PraC pti a a p t ==> 

PStateAba pti aepta'e'p'tp' »=> 

Rat_Slava pti ate' *«> 

PB_Slave pti i p t a' p' tp' ==> 

IB_PMaater pti apt a' p' ti' ==> 

IBA_PMaater pti a p t a' p' ==> 

(New_Stata_Ia_PA a' a' tp' /\ 

-ELEMENT ( FST ( L_ad_inB (a' tp'))) (31)) ==> 

(ti' = tp')") , 

INDOCT_TAC 

THEN REWRITE_TAC (Naw_State_Ia_PA] 

THEN REPEAT STRIP_TAC 
THEN ASSOME_TAC 

(SPECL t *t i timeT" » "0" ; "ti ' t timeC"; "tp ' i timaC" ; "ale_aig_ib p'"] 
TRUE_EVENT_TIMBS_BQUAL ) 

THEN RES_TAC 

THEN IMP_RES_TAC NTH_TRANS_CAOSAL 
THEN IMP_RBS_TAC LBSS_OR_EQ 
THEN ASM_RENRITE_TAC[] 

THEN XMP_RES_TAC ( RBWRITE_RDLE [New_State_Ia_PA] ALE_SIO_IB_TRUE_ON_TP ' ) 

THBNL [ 

% Subgoal It (Baaa Caaa) % 

REWRITE _ASSOM_TAC 

( "NTH_TIME_TRUB 0 (ale_aig_ib p')0 ti'", 

[ NTH_TIME_TRUE » STABLB_FALSB_THBN_TRUE ] ) 

THEN POP_ASSOM_LIST (MAP_BVBRY (\thm. STRIP _ASSOME_TAC thm)) 

THEN SPEC_ASSUM_TAC 

("It. 0 <■ t /\ t < ti' »=> ~ale_aig_ib p' t", "tp' itimeC") 

THEN XMP_RBS_TAC GREATER 
THEN IMP_RES_TAC LT_IMP_LE 
THEN RBS_TAC 

; 

% Subgoal 2t (Induction Step) % 

REWRITB_ASSUM_TAC 

( "NTH_TIMB_TRUB ( SOC t) (ala_aig_lb p')0 ti'". 
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THEM 


[NTH_TIMB_TRUB I STABLB_FALSB_THBN_TRUB ] ) 

CHOOSB_ASSDM_TAC 

"?t'. NTH_TIME_TRUB t(ale_sig_ib p')0 t' /\ 

(t' + 1) <* ti' /\ 

(It. (t' +1) <= t /\ t < ti' «s=> ~ale_sig_ib p' t) /\ 
ale_sig_ib p' ti'" 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN SPBC_ASSOM_TAC 

("It", (t' + 1) <= t" /\ t" < ti' ==> ~ale_Big_ib p' t"", 
"tp' itimaC") 

THEN IMP_RES_TAC PRB_BXEC_PREC 
THEN IMP_RES_TAC ABS_SET_XMP_ABS 
THEN NRUIiE_ASSUM_TAC 

("Iptl t. PTAbs pti s apt s' e'p'", 

( (RBWRITE_RULB [PTAbs]) o (SPECL ["ptiO I PTI" ; "t I timeT"] )) ) 
THEN POP_ASSUH_I<IST (MAPBVBRY (\thin. STRIP_ASSUME_TAC thm)) 

THEN RES_TAC 
THEN RES_TAC 

THEN IMP_RBS_TAC NTH_TRANS_ONTO 
THEN REWRITE_ASSOM_TAC 

( "TRUB_THBN_STABLB_FALSB ( ale_a ig_ib p ' ) ( t ' , tp ' - 1)", 
[TRUE_THBN_STABLE_FALSE] ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSOME_TAC thm)) 

THEN IMP_RES_TAC 

(SPECL t"t' itimeC">"tp'-l"|"l"] (RIMP LBSS_EQ_MONO_ADD_EQ) ) 
THEN IMP_RBS_TAC (RIMP ONB_LESS_EQ ) 

THEN IMP_RBS_TAC (SPECL ("tp' :timeC"> "1") SUB_ADD) 

THEN ASM_REWRITE_ASSOM_TAC ( " (t ' + 1) <= ((tp' - 1) + 1)",[]) 

THEN RES_TAC 

] 

) ; i 

let NEXT_IBHS_TRANS_IS_NTH = TAC_PROOF 

(( [], 

"I (t itimaT) (b itimeT->pt_stata) (a : timaT->pt_env) (p itimeT->pt„out) 
(s' : timaC->pc_atata) (a' itimeC->pc_env) (p' i t imec - >pc_out ) 

(tp' jtimec) (ti' itimec) (pti iPTl) . 

PCSet_Correct s' a' p' »> 

PTAbsSat a a p 8' a' p' =■> 

NTH_TIMB_TRDE t (ale_sig_pb a') 0 tp' s=> 
tp' >0 ««> 

PT_Exec pti sept ==> 

PT_PreC pti sept -=> 

PStataAbs pti septs'e'p'tp' ==> 

Rst_Slava pti ate' ==> 

PB_Slava pti i p t a' p' tp' ==> 

IBA_PMas tar pti a p t a' p' 

STABLE_FALSE_THEN_TROB (ale_sig_ib p') (tp' ,ti' ) ==> 
NTH_TIMB_TRDE t (ale_sig_ib p' ) 0 ti'"), 

INDUCT_TAC 

THBN REPEAT STRIP.TAC 
THBNL [ 

% Subgoal li (Base Case) % 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC ALB_SIO_IB_FALSE_DPTO_FIRST 

THBN IMP_RES_TAC SUP_INTBRVAL_STABLE_FALSE_THEN_TRUE 

THEN IMP_RBS_TAC (RIMP ONB_LBSS_EQ ) 

THEN IMP_RES_TAC (SPECL ["tp' itimaC"; "1"] SOB_ADD) 

THEN ASSOME_TAC (SPEC "ti' ItimaC" ZBRO_LBSS_BQ) 

THEN ASSUMB_TAC (SPEC "tp' ItimaC" LESS_BQ_REFL) 

THEN ASM_RBWRITB_ASSUM_TAC 

("tp' <■ ( (tp' - 1) +1) ==> 0 <- ti' ==> 

STABLE_FALSB_THBN_TRtJB ( ale_s ig_ib p ')( 0 , t i ')",[] ) 

THBN ASM_RKWRITE_TAC [NTH_TIMB_TROE ] 

; 

% Subgoal 2t (Induction Step) % 

IMP_RES_TAC PRE_EXEC_PREC 
THEN IMP_HES_TAC ABS_SET_IMP_ABS 
THEN NRULB_ASSUM_TAC 

("lpti t. PTAbs pti s apt s' e'p'", 

( (REWRITE_RULE [PTAbs]) O (SPECL ["ptiO t PTI"} "t I timeT"] ) ) ) 
THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP _ASSUMB_TAC thm)) 
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THBN RBS_TAC 
THEN RBS_TAC 

THBN POP_ASSUM (\thm. ALL_TAC ) 

THBN POP_ASSUM (\thm. ALL_TAC ) 

THEN IMP_RES_TAC NTH_IBDS_TRANS_EXISTS 
THBN IMP_RES_TAC NTH_TRANS_ONTO 
THBN POP_ASStJM (\thm. ALL_TAC ) 

THBN POP_ASStJM (\thm. ALL_TAC) 

THBN RBWRITE_TAC [ NTH_TIME_TROE ; STABLB_FALSE_THBN_TRUE ] 

THBN EXISTS_TAC "ti'":timeC" 

THBN ASM_REWRITE_TAC t ] 

THEN RBWRITB_ASSDM_TAO 

( "TRUB_THEN_STABLE_FALSB (ale_aig_ib p')(ti'",tp' - 1 ) " , 
(TRUE_THEN_STABLE_FALSE ] ) 

THBN RBWRITE_ASStJM_TAC 

( "STABLB_FALSE_THBN_TRDE ( ale_S ig_ib p ' ) ( tp ' , ti ' ) " , 
[STABLB_FALSB_THBN_TRUE] ) 

THBN POP_ASSUM_LIST (MAP_BVBRY ( \thm. STRIP_ASSUMB_TAC thm)) 

THBN IMP_RES_TAC 

(RIMP (SPECL ["ti' ' ' t timeC" ) "tp ' -1" ; "1"] LBSS_BQ_MONO_ADD_EQ) ) 

THBN IMP_RBS_TAC (RIMP ONB_LBSS_EQ) 

THBN IMP_RBS_TAC (SPKCL ["tp' "1"] SUB_ADD) 

THBN ASM_RBWRITK_ASSDM_TAC ("(ti'" + 1) <= ((tp' - 1) + 1 ) " , [ 1 ) 

THBN IMP_RBS_TAC LBSS_BQ_TRANS 
THBN ASM_RBWRITE_TAC[] 

THBN REPEAT STRIP_TAC 
THBN SPBC_ASSDM_TAC 

("!t. tp' <« t /\ t < ti' *=> -ale_sifl_ib p' t" , "t' i timeC") 

THEN SPBC_ASSDM_TAC 

("It. ti'" < t /\ t <= (tp' - 1) ==> ~ale_Big_ib p' t", "t ' : timaC") 
THBN ASM_CASBS_TAC "tp' t'" 

THBNL [ 

% Subgoal 2.1: [ "tp' <= t '" ] % 

RES_TAC 

» 

% Subgoal 2.2: t "-tp' <* t'" ] % 

IMP_RBS_TAC NOT_LKSS_BQ_LBSS 

THBN IMP_RBS_TAC ( REWRITE_RULE [ADD1] SUC_LE_IMP_LT) 

THBN IMP_RBS_TAC ( REWRITE_RULE [PRB_SUB1] LT_IMP_LB_PRB ) 

THBN RBS_TAC 

] 

] 

) ;; 

let P_RQT_FAI»SB_ON_TI ' « TAC_PROOF 
( ( ("PCSet_Correct a' a' p'"j 
"PTAbaSat a a p a' a' p '"> 

"NTH_TXMB_TRCJB t (ala_aig_pb a') 0 tp'") 

"tp' > 0") 

"NTH_TIMB_TROB t (ala_aig_ib p') 0 ti'") 

"PT_Bxac pti a a p t"; 

"PT_PraC pti a a p t") 

"PStateAbs pti a a p t a' a' p' tp'") 

"Rat_Slava pti a t a'") 

"PB_Slave pti a p t a' p' tp'") 

"IB_PMaatar pti a p t a' p' ti'"j 
"IBA_PMaatar pti a p t a' p ' " ] , 

* (Naw_Stata_Ia_PA a' a' tp') /\ 

(-ELEMENT ( FST ( L_ad_inE (a' tp'))) (31)) 

«*> 

(~P_rqtS (a' ti'))"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC TRANS_TIME S_EQUAL 
THEN IMP_RES_TAC PREC 

THBN REWRITE_ASSUM_TAC ("PStataAba pti a a p t B' a' p' tp' ", [PStateAbs] ) 
THEN POP_ASSOM_LIST (MAP_BVBRY ( \tbm. STRIP_ASSUME_TAC thm)) 

THEN RES_TAC 

THEN ASM_RBWRITB_ASSUM_TAC ( "P_rqtS ( 8 ' (ti ' : timeC) )",[]) 

) )) 


% 

P_RQT_TROB_ON_TI ' _IMP_DBLAY_CONDS e 
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I- lpti e p t a' p' ti' tp' a s'. 

IBA_PMaater pti a p t a' p' »> 

IB_PMaster pti • p t •' p' ti' ==> 

PB_Slave pti • p t •' p 1 tp' ==> 

Rat_Slava pti • t •' «*> 

PStateAba pti septa' a' p' tp' ==> 

PT_PreC pti a a p t ==> 

PT_Bxec pti a a p t ==> 

NTH_TIMK_TRUB t(ala_aig_ib p')0 ti' =»> 
tp' >0 ==> 

NTH_TIME_TRUE t(ale_aig_pb a')0 tp' ==> 

PTAbaSet a a p s' a' p' ==> 

PCSat_Corract s' a' p' ==> 

P_rqtS(s' ti') ==> 

~(New_State_Ia_PA s' a' tp' /\ -ELEMENT (FST ( L_ad_inE ( a ' tp')))31) 

- - —% 


let PJRQT_TRUH_ON_TI'_IMP_DBLAY_CONDS = 

REWRITE JRULB [] (G»EN_ALL (DISCH_ALL (CONTRAPOS P_RQT_FALSE_ON_TI ')));; 

let P_RQT_TROE_ON_TI ' = TAC_PROOF 
( ( ("PCSet_Correct s' a' p'"; 

"PTAbaSet a a p s' a' p ) 

"NTH_TXME_TROB t (ale_aig_pb a') 0 tp'"j 
"tp' > 0") 

"NTH_TIMB_TRUB t (ala_aig_ib p') 0 ti'") 

"PT_Exac pti a e p t 
"PT_PraC pti a a p t") 

"PStateAba pti a a p t a’ a' p' tp"') 

"Rst_Slave pti a t a'") 

"PB_Slave pti a p t a' p' tp'") 

"IB_PMaater pti a p t a' p' ti'") 

"IBA_PMaatar pti a p t a' p'"J # 

"-(-ELEMENT ( FST ( L_ad_inE (a' tp'))) (31) /\ New_State_Ia_PA s' a' tp') 

»»> 

P_rqtS (s' ti')"), 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC ALE_SIO_IB_TRUE_AFTER_TP ' 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN RES_TAC 

THEN IMP_RBS_TAC TI '_AFTER_TP ' 

THEN IMP_RES_TAC NEXT_IBOS_TRANS_IS_NTH 

THEN SUBOOAL_THEN " (ti ' ttimeC) ■ ti"" ASSUMB_TAC 

THENL [ 

% Subgoal It (New Subgoal) % 

IMP_RBS_TAC TRUB_EVENT_TIMES_BQOAL 

) 

% Subgoal 2t (Continue) % 

REWRITE_ASSOM_TAC 

( ( -ELEMENT (FST ( L_ad_inE ( a ' tp')))31 /\ New_State_Ia_PA s' e' tp')", 
[DB_MOROAN_THM] ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSOME_TAC thm)) 

THEN RES_TAC 

THEN IMP_RKS_TAC ( REWRITE_RULE [PRB_SOBl] LT_IMP_LB_PRB ) 

THEN IMP_EBS_TAC STABLB_FALSB_THEN 

THEN ASSDME_TAC (SPECL ("ti' ' ttimeC") "1") SUB_LESS_EQ) 

THEN IMP_RES_TAC NEW_P_RQT_TRHE_FROM_TP '_TO_TI ' 

THEN IMP_RBS_TAC M_LBSS_0_LESS 

THEN IMP_RBS_TAC ( REWRI TE_RULE [ADD1] LT_IMP_SUC_LB ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. ASSUME_TAC ( RBDUCE_RULB thm))) 
THEN ASM_RBWRITB_TAC[] 

THEN IMP_RES_TAC (SYM_ROLR (SPECL ( "ti " t timeC") "1"] SUB_ADD) ) 

THEN PnRB_ONCB_ASM_RBWRITB_TAC H 

THEN DELETE_ASSUM_TAC "ti" = (ti" - 1) + 1" 

THEN IMP_RES_TAC P_rqt_ISO 

THEN REWRITB_ASSOM_TAC ( "Naw_P_Rqt_Is_TRDE a' e'(ti" - 1)", 

[New_P_Rqt_Is_TRUR ) Naw_State_Ia_PDl ) 

THEN ASM_REWRITB_TAC[] 

) 

))) 
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P_RQT_FALSB_ON_TI ' _IMP_FLOWTHRU_CONDS = 

|- Ipti a p t •' p' ti' tp' s s'. 

IBA_PMaster pti a p t a' p' ==> 

ZB_PMastar pti apt a' p' ti' =«> 

PB_Slavo pti a p t a' p' tp' »■> 

Rst_Slava pti a t a' «=> 

PStataAbs pti septs' a'p'tp' ==> 

PT_PreC pti s a p t ==> 

PT_Exec pti s a p t ==> 

NTH_TIMB_TRUE t (ale_8iff_ib p ' ) 0 ti' ==> 

tp' > 0 — > NTH_TIME_TRUE t (ale_siff_pb e')0 tp' ==> 

FTAbsSet 8 a p s' a ' p ' ==> 

PCSat_Corraet s' a' p' ■»> 

~P_rqtS(8' ti') *»» 

-ELEMENT ( FST ( L_ad_inR ( a ' tp')))31 /\ New_State_Xs_PA 8' a' tp' 
% 


let P_RQT_FALSE_ON_TI ' _IMP_FLOWTHRU_CONDS = 

RBWRITE_RULE [] (GBN_ALL (DISCH_ALL (CONTRAPOS P_RQT_TRUE_ON_TX ')))/; 

let MAXWORD I mk_thm 

(U, 

" 1 n b. (VAL n b) < (2 EXP (sue n) ) " 

);; 


File i pt_thms2 .ml 

Autbori (c) D. A. Fura 1993 

Data! 7 March 1993 

Mora theorems used in the P-Port trans -level proof. 
% 


let GREATER_TRANS » TAC.PROOF 

(([], 

"! m n p mum . m > n »=> n > p ==> m > p"), 
REWRITB_TAC [GREATER] 

THEN REPEAT STRIPJTAC 
THEN IMP_RES„TAC LESS_TRANS 

);> 

let PRIOR_FALSE_BVBNTS_KXIST b mk_thm 

([], 

"1 (x <tima->bool) (m n mum) (to t ttima) . 
NTH_TIME_FALSE n X tO t ==> 

(m < n) ■«> 

( 7t ' , t' < t /\ NTH_TIME_FALSE m X tO t ' ) " 

);; 

let GT_IMP_NOT_BQ « mk_thm 

([]/ "1 (m n mum), m > n ==> - (m = n )")it 

let SUP_INTERVAL_STABLE_FALSE a mk_thm 

( [], 

"1 (tO t9 tl t2 itima) (x itima->bool) . 
STABLB_FALSB X (tO,tl) n> 

STABLE_FA1.SE X (t2,t9) ==> 

(t2 < = tl+1) **> 

(to < b t9 ) »=»> 

STABLE_FALSB X (t0,t9)" 

) I) 

let LT_IMP_NOT_EQ • mk_thm 

([], "I m n mum . (m < a) ==> -(m = n )");; 

let DECN_WORDN_l a TAC_PROOF 

(([], 
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"1 (m n mum) . 

(m <= 3) =»> 

(n <= 3) ==> 

(m = n + 1) ==> 

(DECN 1 (WORDN 1 m) = WORDN 1 n) " ) , 

RBWRITB_TAC [DECN] 

THEN REPEAT STRXP_TAC 
THEN COND_CASBS_TAC 
THENL [ 

% Subgoal li "SBTN 1 = WORDN 1 n" 

[ "ZEROS 1 (WORDN 1 m) " ] % 

SUBGOAL_THBN "n < 3" ASSDME_TAC 
THENL [ 

% Subgoal l.li "n < 3" % 

REWRITE_ASSOM_TAC ("n <= 3", [LESS_OR_EQ] ) 

THEN POP_ASSUM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN ASM_RBWRITE_TAC[] 

THEN ASM_REWRITE_ASSDM_TAC ("m = n + 1", m 
THEN DNDISCH_TAC "m <= 3" 

THEN ASH_RBWRITB_TAC [] 

THEN REDTJCE_TAC 

; 

% Subgoal 1.2 t [ "n < 3" ] % 

SUB30AL_THBN "ZEROS 1 (WORDN 1 m) ==> (m=0)" IMP_RKS_TAC 
THENL [ 

% Subgoal 1.2.1i (New Subgoal) % 

REWRITB_TAC [num_CONV "1"; ZEROS;WORDN] 

THEN BETA_TAC 
THEN REDUCE_TAC 

THEN REWRITE_ASSUM_TAC ("m <= 3", [LESS_EQ_3_CASES] ) 

THEN POP_ASSUM_LIST (MAP_EVERY ( \thm. STRIP_ASSUMB_TAC thm)) 

THEN ASM_REWRITE_TAC [ ] 

THEN REDDCE_TAC 

; 

% Subgoal 1.2.2t (Continue) % 

UNDISCH_TAC "m = n + 1" 

THEN RBWRITB_ASSUM_TAC ("n <= 3", [LESS_BQ_3_CASES] ) 

THEN POP_ASSDM_LIST (MAP_EVERY ( \thm. STRIP_ASSUME_TAC thm) ) 

THEN ASM_REWRITE_TAC[] 

THEN REDtJCE_TAC 

] 

] 

; 

% Subgoal 2i "WORDN 1((VAL 1 (WORDN 1 m) ) - 1) = WORDN 1 n" % 

IMP_RES_TAC VAL_W0RDN_IDBNT_1 
THEN ASM_REWRITB_TAC [ADD_SUB] 

) 

) II 

let STABLB_HI_IMP_NOT_STABLB_LO « TAC_PROOF 

((II, 

"1 (x itime->wire) (tl t2 itime) . 

STABLB_HI X (tl, t2) ==> -STABLE_LO X (tl,t2)"), 

RBWRITE_TAC tSTABLB_HI) STABLE_LO] 

THEN REPEAT STRIP_TAC 
THEN SPEC_ASSDM_TAC 

("It. tl <= t /\ t <» t2 »-> (x t = HI) ","tlitimeC") 

THEN SPEC_ASSUM_TAC 

("It. tl <■ t /\ t <» t2 a=> (x t ■ LO) ", "tlitimeC") 

THEN ASSUMB_TAC (SPEC "tlitimeC" LESS_BQ_RBPL) 

THEN RES_TAC 

THEN UNDISCH_TAC "X (tlitimeC) > LO" 

THEN ASM_RBWRITB_TAC tprove_oonetructore_diatinct wire] 

);» 

let Standard_Aa sumps «• new_def ini t ion 
( ' Standard_Assumps ' , 

"I (pti iPTI) (a itimeT->pt_atate) (e itimeT->pt_env) (p :timeT->pt_out) 

(t stimaT) (s' t timeC->pc_state) (e' itimeC->po_env) (p' itimeC->pc_out) 
(tp' ti' i timeC) . 

Standard_Asaumps pti a e p t s' e' p' tp' ti' = 

PCSet_Correct a' e' p' /\ 
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PTAbsSet 8 a p s' a' p' /\ 

PT_Exac pti s a p t /\ 

PT_PreC pti s a p t /\ 

PB_Slava pti a p t a' p' tp' /\ 
IB_PMastar pti a p t a' p' ti' A 
IBA_PMaster pti a p t a' p' A 
R8t_Slave pti ate' A 
PStataAbs pti s a p t s' a' p' tp' A 
NTH_TIMB_TRUE t(ale_sig_pb a')0 tp' /\ 

tp' > 0 A 

NTH_TIMB_TRUE t(ale_sig_ib p')0 ti' /\ 
ti' > 0" 


lot EXPAND_STANDARD_ASStJMPS = TAC_PROOF 

<([], 

"1 (pti iPTI) (s itimeT->pt_stata) (a itimeT->pt_env) (p :timeT->pt_out) 

(t itimaT) (a' i timeC->pc_state) (a' i timeC->pc_env) (p' s timeC->pc_out) 
(tp' ti' itimec) . 

Standard_As sumps pti sapts'a'p'tp'ti' ■■> 

( PCSat_Correct s' a ' p ' A 
PTAbsSat aaps'a'p' A 
PT_Exac pti 8 a p t /\ 

PT_PraC pti s a p t /\ 

PB_Slava pti apte'p'tp' A 
IB_PMastar pti epte'p' ti' /\ 

IBA_PMaatar pti a p t a' p' /\ 

Rst_Slava pti a t a' /\ 

PStataAbs pti sapta' a'p' tp' /\ 

NTH_TIME_TRDB t(ale_aio_pb e')0 tp' /\ 
tp' > 0 /\ 

NTH_TIMB_TRUB t(ala_aia_lb p')0 ti' /\ 
ti' > 0)”) , 

REWRITB_TAC [Standard_A88uraps] 

THEN REPEAT STRIP_TAC 
THEN ASM_REWRITE_TAC[] 

)>; 

let OFFSET_NBW_P_RQT_TRUE_FROM_TI'_TO_T'SACK = TAC_PROOF 

((U, 

"1 (u' itimeC) 

(pti tPTX) (a :timaT->pt_stata) (a itimeT->pt_env) (p :timaT->-pt_out) 

(t itimaT) (s' itlmaC->pc_stata) (a' :timeC->pc_anv) (p' i timeC->pc_out) 
(tp' ti' t'sack itimaC) . 

PCSat_Corract s' a' p' ==> 

PT_Exao pti 8 a p t =«> 

IBA_PMastar pti a p t a' p' »=> 

Rst_Slava pti a t a' aa> 

NTH_TIMB_TRUE t(ale_sig_ib p ' ) 0 ti' ==> 

(ti' > 0) «> 

STABLB_FAX.SB (Sack_Sig_Xs_TRDE 8' a') (ti' , t ' sack-1) ==> 

((ti'+u') < t'sack) **> 

Naw_P_Rqt_Is_TRUE s' a ' (ti'+u')"), 

INDUCT_TAC 

THEN RBWRITE_TAC [ADD_CLAUSES ; AUDI ; ADD_ASSOC ] 

THEN REPEAT STRIP_TAC 
THENL [ 

% Subgoal It (Base Case) % 

IMP_RBS_TAC NTH_TIMB_TRUE_X_IMP_X 
THEN IMP_RBS_TAC IBUS_ALB_IMP_NEW_P_RQT 

) 

% Subgoal 2i (induction Step) % 

ASSUMB_TAC (SPBCL ["ti'+u'";"l"] LESS_EQ_ADD) 

THEN IMP_RES_TAC LBSS_EQ_LESS_TRANS 

THEN RES_TAC 

THEN REWRITE_ASSUM_TAC 

( "STABLE_FALSE (Sack_Sig_Xs_TRDE 8' a ' ) ( ti ' , t ' sack-1) ", 
[STABLE.FALSE] ) 

THEN P0P_ASS0M_LIST (MAP_EVERY ( \thm. STRIP_ASSOME_TAC thm) ) 

THEN SPEC_ASSOM_TAC 

("It. ti' <» t /\ t <- (t'sack - 1) mm> -Sack_Sig_Is_TROB s' a' t", 
"(ti'+u' )+l") 
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THEN ASSUME_TAC (SPECL C"ti' 1 timeC" t "u' t timeC") LESS_EQ_JVDD ) 
THEN IMP_RBS„TAC LBSS_BQ_TRANS 

THEN IMP_RES_TAC ( REWRITE_RULE [PRB_SUB1] LT_IMP_LE_PRE ) 

THEN RES_TAC 

THEN SUBGOAL_THEN "P_rqtS (s’ ( (ti ' +u' ) +1) ) " ASSUMB_TAC 

THBNL [ 

% Subgoal 2. It (New Subgoal) % 

IMP_RES_TAC P_rqt_ISO 
THEN REWR I TE_AS SUM_TAC 

("New_P_Rqt_Xs_TRUE s' e'(ti' + u ' ) " , 

[ New_P_Rqt_I s_TRUE » New_St at e_I s_PD ] ) 

THEN ASM_REWRITE_TAC [] 


; 


] 

1 

) ; i 


% Subgoal 2.2t (Continue) % 

XMP_RBS_TAC RST_PALSE 
THEN NRULE_ASSUM_TAC 

( "~Sack_Sig_Is_TRUE s' e'((ti' + u') + 1)", 

(BBTA_RULE o (RBWRXTE_RULE[Sack_Sig_Is_TRUEjNew_State_Is_PD] ) ) ) 
THEN IMP_RBS_TAC P_rqt_XSO 

THEN ASM_RBWRITE_TAC [New_P_Rqt_Is_TRUE; New_State_Is_PD; COND_TROE_TRUE ; 
COND_TRUE_CHOICES ] 


let NEW_P_RQT_TRUB_FROM_TI'_TO_T'SACK = TAC_PROOF 

ecu, 

"! (t' itimeC) 

(pti :PTI) (s itimeT->pt_state) (e t timeT->pt_anv) (p :timeT->pt_out) 

(t ttlmeT) (s' :tlmeC->pc_state) (e' :timeC->pc_env) (p' ttlmeC->pc_out) 
(tp' ti' t'sack itimeC) . 

PCSet_Correct s' e' p' ==> 

PT_Bxec pti sept ««> 

IBA_PMaster pti e p t e' p' ==> 

Rst_Slave pti e t e' *=> 

NTH_TXME_TRUB t(ale_sig_ib p')0 ti' ==> 

(ti' > 0) ==> 

STABLE_FALSE (Sack_Sig_Is_TRUE s' e') (ti ', t ' sack-1) ==> 

(ti' <« t') 

(t' < t'sack) *«» 

New_P_Rqt_Is_TRUE s' e' t '" ) , 

REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPEC "t'-ti'" OFFSET_NEH_P_RQT_TRUE_FROM_TI ' _TO_T ' SACK) 
THEN SPBCL_ASSUM_TAC 

( "! t ' ti'". (ti' + (t' - ti'")) < t'sack ==> 

New_P_Rqt_Is_TROE s' e' (ti' + (t' - ti'"))", 
t"t' itimeC" >"ti' ttimeC") ) 

THEN IMP_RES_TAC 

(SPECL t"t' ttimeC";"ti' ttimeC"] 

(PHRE_ONCEJREWRITE_RULE CADD_SYM) SUB_ABD) ) 

THEN ASM_RBWRITB_ASSOM_TAC 

("(ti' + (t' - ti')) < t'sack ==> 

New_P_Rqt_Xs_TRDB s' e' (ti' + (t' - ti' ))",[]) 

THEN ASM_RBWRITB_TAC [ ] 

)ll 

let SACK_SIO_FALSE_DURINO_DATA_0 = TAC_PROOF 

(( [], 

"1 (pti tPTX) (s itimeT->pt_state) (a itimeT-»pt_env) (p itimeT->pt_out) 

(t ttlmeT) (s' itimeC->pc_state) (e' t timec->pc_env) (p' 1 1 imeC - >pc_out ) 
(ti' t'sack t'rdyO ttimeC) . 

PCSet_Correct s' e' p' «»> 

PT_Exec pti sept ==> 

XBA_PMaster pti e p t o' p' ==> 

NTH_TIME_TRUE t(ale_sig_ib p')0 ti' ==> 

(ti' > 0) =»> 

STABLE_TROE_THEN_FALSE (bsig I_srdy_E e') (ti ' +1, t 'rdyO) ==> 
STABLE_FALSE (Sack_Sig_Is_TRDE s’ o') (ti' ,t 'rdyO-1) ") , 

REWRI TB_TAC [ STABLE_TRUE_THEN_FALSE > bs ig ; BSel ; STABLE_FALSE ) Sack_Sig_Xs_TRUE ] 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THBNL [ 
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% Subgoal Is "ti' <* (t'rdyO - 1)" % 

IMP_RBS_TAC (SPECL t"tl ' +1" ( "t 'rdyO i timeC" ; "1"] LESS_BQ_MONO_SUB ) 

THEN RULE_ASSUM_TAC (REWRITB_RULB [SPECL [ "tl ': timeC" ; "1" ] ADD_SUB] ) 

THEN ASM_RBWRITE_TAC[] 

I 

% Subgoal 2s [ "~SND(I_srdy_B(e' t ' ) ) " ] % 

SPBC_ASSUM_TAC 

("!t. (tl' + 1) <= t /\ t < t'rdyO ==> SND ( I_srdy_E ( e ’ t) ) ", "t ' : timeC") 
THEN IMP_RBS_TAC (RIMP ONB_LBSS_BQ) 

THEN ASSUME_TAC (SPECL ["ti ' i timeC"; "1"] LBSS_BQ_ADD) 

THEN IMP_RES_TAC LESS_EQ_TRANS 

THEN XMP_RES_TAC (RBWRITB_RULB [PRE_SOBl] LE_PRE_IMP_LT ) 

THEN ASM_CASES_TAC " (ti ' +1) <=t ' " 

THBNL [ 

% Subgoal 2.1; [ "(ti' + 1) <= t'" ] % 

RBS_TAC 
THEN RBS_TAC 
J 

% Subgoal 2.2: [ "~(ti' + 1) <= t'" } % 

IMP_HES_TAC NOT_LBSS_EQ_LBSS 

THEN IMP_RES_TAC ( REWRXTE_RtJLB [ADD1] LT_SUC_IMP_LE ) 

THEN IMP_RBS_TAC LESS_EQOAL_ANTISYM 
THEN DBLBTB_ASSOM_TAC "t' = (ti't timeC)" 

THEN ASM_RBWRITB_ASSOM_TAC ( "NTH_TIMB_TRUB t(ale_aig_ib p')0 ti'",[]) 

THEN IMP_RES_TAC NTH_TIME_TRUE_X_XMP_X 

THEN IMP_RES_TAC IB0S_ALE_XMP_PA 

THEN UNDISCH__TAC "New_State_Ie_PD a' e' t'" 

THEN RBWRITB_ASSUM_TAC ( "New_State_Ie_PA s' e ' t ' [New_State_Xs_PA] ) 

THEN IMP_RES_TAC PA_IMP_NOT_PD 

THEN ASM_REWRITB_TAC [NeW_State_IS_PD] 

] 

] 

);; 

let P_LOAD_TROB_THBN_STABLE_FALSB_FROM_TP'_TO_T'SACK = TAC_PROOF 

(([], 

" 1 (t' : timeC) 

(pti t PTI) (a ;timeT->pt_state) (e ;timeT->pt_env) (p ;timeT->pt_out) 

(t ttimeT) (s' t timeC- >pc_state) (e' ;timeC->po_env) (p' ;timeC->pc_out) 
(tp' ti' t'sack : timeC) . 

(Standard_Assumps pti s e p t s' e' p' tp' ti' /\ 

STABLE_FALSE ( sack_Sig_Is_TRUB s' e') ( ti ', t ' sack-1) ) »■> 
TRUB_THEN_STABLB_FALSB (\u'. P_loadS (s' U' ) ) ( tp' , t ' sack) » ) , 

RBWRI TE_TAC [Standard_Assumpa > TRUE_THEN_STABLE_FALSE ) 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THBNL [ 

% Subgoal 1; "tp' <« t'sack" % 

REWRITE_ASSUM_TAC 

("STABLE_FALSE(Sack_Sig_Is_TRUB s' e ' ) (ti ' , t ' sack - 1) ", [STABLB_FALSE] ) 
THEN POP_ASS0M_LIST (MAP_EVBRY (\thm. STRIP_ASSUMB_TAC thm) ) 

THEN ASSHMB_TAC (SPBCL ["t ' sack; timeC"; "1"J SUB_LBSS_EQ) 

THEN IHP_RES_TAC NTH_TRANS_CAOSAL 
THEN XMP_RBS_TAC LESS_EQ_TRANS 

; 

% Subgoal 2 t "P_loadS (s' tp ' ) " % 

SOBQOAL_THEN "-P_rqtS(s' (tp' itimeC) ) " ASSUME_TAC 
THBNL [ 

% subgoal 2.1: (New Subgoal) % 

PREC_TAC 

; 

% Subgoal 2.2: (Continue) % 

UNDISCH_TAC "~P_rqtS (s' ( tp ' : timeC ) ) " 

THEN S0B3OAL_THBN "tp' = (tp'-l)+l" (\thm. PURE_ONCE_REWRITE_TAC [thm]) 
THBNL [ 

% Subgoal 2.2.1: (New Subgoal) % 

IMP_RES_TAC (RIMP ONB_LBSS_EQ) 

THEN XMP_RES_TAC 

(SPECL ["tp' :timeC";"l''3 <STO_RULB SDB_ADD) ) 

; 

% Subgoal 2.2.2: (Continue) % 

IMP_RES_TAC P_load_ISO 
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THEN XMP_RBS_TAC P_rqt_ISO 
THEN ASM_RBWRITE_TAC [ ] 

THEN DISCH_TAC 

THEN ASM_REWRITB_TAC ( ] 

] 

] 

% Subgoal 3i t "tp' < t ' " ] 

[ "t' <= t 'sack" ] 

[ "P_loadS ( a ' t')" ] * 

UNDISCH_TAC "P_loadS (s' ( t ' 1 1 imeC ) ) " 

THEN SUBOOAL_THEN "t ' = (t'-D+l" (\thm. PURE_ONCB_RBWRITE_TAC [thm]) 

THBNL [ 

% Subgoal 3. It (New Subgoal) % 

IMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN IMP_RBS_TAC LBSS_BQ_LBSS_TRANS 
THEN IMP_RKS_TAC LT_IMP_LE 

THEN IMP_RES_TAC ( S YM_RULE (SPECL ["t ' t timeC" ) "1") SOB_ADD) ) 

» 

% Subgoal 3.2t (Continual % 

IMP_RBS_TAC IBUS_TRANS_EXISTS 

THEN IMP_RES_TAC NBXT_IBUS_TRANS_IS_NTH 

THEN SUBQOAL_THBN 

"ti" = (ti' ttimac) " ( \thm. RULB_ASSUM_TAC ( RKWRITB_RULE [thm])) 

THBNL [ 

% Subgoal 3. 2. It (New Subgoal) % 

IMP_RBS_TAC TRUE_EVBNT_TIMES_EQUAL 

> 

% Subgoal 3.2.2t (Continue) % 

RHWRITB_ASSUM_TAC 

("STABLE_FALSE_THBN_TRCE(ale_sig_ib p') (tp'.ti')", 
[STABLB_FALSE_THBN_TRUE] ) 

THEN POP_ASSOM_LIST (MAP_BVERY (\thffl. STRIP_ASS(JMB_TAC thm)) 

J 

THEN IMP_RES_TAC NKW_P_RQT_TRUE_FROM_TI ' _TO_T ' SACK 
THEN IMP_RSS_TAC NEW_P_RQT_TRHE_FROM_TP ' _TO_TI ' 

THEN NRDLE_ASSOM_TAC 

("Iti' . STABLE_FALSE(ale_8ig_lb p' ) (tp'.ti' - 1) «=> 

(It', tp' <» t' «■»> t' <= ti' ==> New_PJRqt_Is_TRUB s' a' t')", 
( (REWRITE_RULB [ STABLE_FALSE ] ) o (SPEC "ti' t timeC") ) ) 

THEN ASM_CASBS_TAC "tp' <= (ti' - 1)" 

THBNL [ 

% Subgoal 3. 2. 2. It ( "tp' <= (ti' - 1)" ] % 

SUBOOAL_THBN 

"(It. tp' <> t A t <= (ti' - 1) ==> -ale_sig_ib p' t)" ASSUME_TAC 
THBNL [ 

% Subgoal 3. 2. 2.1. It (New Subgoal) % 

REPEAT STRIP_TAC 
THEN SPBC_ASSUM_TAC 

("It. tp' <«> t /\ t < ti' =»> -ale_sig_ib p' t", "t' ' ttimeC") 
THEN IMP_RES_TAC (RIMP ONB_LESS_BQ) 

THEN IMP_RBS_TAC (REWRITB_RtJLE (PRE_StTBl ] LE_PRE_IMP_LT ) 

THEN RES_TAC 

; 

% Subgoal 3.2.2.1.2t (Continue) % 

ASM_REWRITB_ASSUM_TAC 
("tp' <=> (ti' - 1) /\ 

(It. tp' <= t /\ t <= (ti' - 1 ) ==> -ale_sig_ib p' t) ==> 

( ! t ' . tp' <= t' ««> t' <= ti' =■> New_P_Rqt_Is_TRUE s' e' t')'', 

U) 

THEN SPEC_ASSDM_TAC 

("It'. ti'<=t' ==> t ' <t ' sack ==> New_P_Rqt_Is_TRUE s' a' t'", 
"t'-l") 

THEN SPEC_ASSUM_TAC 

("It'. tp'<=t' ==> t'<=ti' ==> New_P_Rqt_Is_TRHE s' a' t'", 
"t'-l") 

THEN ASM_CASES_TAC "ti' <» (t' - 1)" 

THBNL [ 

% Subgoal 3. 2. 2. 1.2. It [ "ti' <= (t' - 1)" ] % 

IMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN IMP_RBS_TAC LESS_EQ_LBSS_TRANS 
THEN IMP_RES_TAC LESS_LESS_EQ_TRANS 
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THEN IMP_RE S_TAC LT_IMF_LE 

THEN IMP_RBS_TAC ( REWRITE_RULE [PRE_SUB1] LB_IMP_PRB_LT) 

THEN RBS_TAC 

> 

% Subgoal 3. 2. 2. 1.2.2s [ "~ti' <= (t' - 1)" ] % 

IMP_RES_TAC NOT„LESS_EQ_LBSS 
THEN IMP_RBS_TAC LT_IMP_LE 

THEN IMP_RBS_TAC ( RBWRITE_RULB [PRB_SUB1] LT_IMP_LE_PRE ) 

THEN RBS_TAC 

] 

THEN REWRITB_ASSUM_TAC 

( "New_P_Rqt_Ia_TRUE 8' e'(t' - 1)", 

[New_P_Rqt_Ia_TRUB ; New_State_Is_PD] ) 

THEN IMP_RBS_TAC P_load_ISO 
THEN ASM_REWRITB_TAC [] 

] 

I 

% Subgoal 3.2.2.2i [ "~tp' <» <ti' - 1)" ] % 

IMP_RE S_TAC NOT_LBSS_EQ_LBSS 
THEN IMP_RE S_TAC (RIMP ONB_LESS_EQ) 

THEN IMP_RBS_TAC (RBWRITE_RULE [PRE_SOBl] PRE_LT_IMP_LE ) 

THEN SUBOOAL_THBN 

"tl' = (tp' ItimeC)" (\thm. RULB_ASSUM_TAC (REWRITE_RULE [thm] ) ) 
THBNL [ 

% Subgoal 3.2.2.2.1) (New Subgoal) % 

IMP_RES_TAC LESS_EQUAL_ANTISYM 

I 

% Subgoal 3.2.2.2.2i (Continue) % 

SPEC_ASSUM_TAC 

("It', tp' <= t' ==> t' < t ' sack ==> New_P_Rqt_l8_TRUE s' e' t'", 
"t'-l") 

THEN UdP_RES_TAC (RBWRITE_RDLB [PRE_SOBl] LT_XMP_LE_PRE ) 

THEN IMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN IMP_RES_TAC LESS_EQ_LESS_TRANS 
THEN IMP_RBS_TAC LT_IMP_LE 

THEN IMP_RES_TAC (RRWRITE_RULB [PRZ_SOBl] LE_IMP_PRE_LT) 

THEN RBS_TAC 

THEN RBWRITE_ASSOM_TAC 

( "New_P_Rqt_Is_TRUB s' a'(t' - 1)", 

[New_P_Rqt_Is_TRUE ; New_State_I#_PD] ) 

THEN XMP_RBS_TAC P_load_ISO 
THEN ASM_REWRITE_TAC () 

1 

] 

] 

] 

) ;; 

let P_DOWN_STABLB_FALSE_THBN_TRUE_FROM_TP ' _TO_T ' RDYO = TAC_PROOF 

(<[], 

"1 (t' itimeC) 

(pti tPTI) (s itiraeT->pt_atate) (a t timeT->pt_env) (p i timeT->pt_out ) 

(t itlmeT) (a' : timeC->pc_state) (o' ttimeC->pc_env) (p' t timeC->pc_out ) 
(tp' ti' t'sack itimeC) . 

(Standard_AssuinpB ptl 8 a p t 8' e' p' tp' tl' A 
STABLB_TROE_THHN_FALSB (bsig I_srdy_E •') (ti' +1, t ' rdyO) ) ==> 
STABLE_FALSE_THBN_TRUB (\u'. P_downS (a' u' ) ) (tp' +1, t 'rdyO+1) ") , 
REWRITE_TAC (Standard_A8aunpa ; STABLB_FALSB_THEN_TROE ) 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC SACK_SIG_FAX.SE_DURINO_DATA_0 
THBNL [ 

% Subgoal li "(tp' + 1) <= (t'rdyO + 1)" % 

RBWRITE_ASSUM_TAC 

( "STABLB_TRUE_THBN_FALSE (bsig I_srdy_B e')(ti' + 1 , t ' rdyO ) " , 
[STABLE_TRUB_THBN_FALSB ] ) 

THEN POP_ASSOM_LIST (MAP_BVERY (\thm. STRIP_ASSDME_TAC thm) ) 

THEN ASSOMB_TAC (SPBCL ["t ' rdyO I timeC" » "1"] LESS_EQ_ADD ) 

THEN IMP_RBS_TAC NTH_TRANS_CAOSAL 
THEN IMP_RBS_TAC 

(RIMP (SPBCL ("tp' ItimeC") "ti' ! t imeC" ; "1"] LBSS_BQ_MONO_ADD_EQ) ) 
THEN IMP_RBS_TAC LESS_EQ_TRANS 
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% Subgoal 2t [ "(tp' +1) <= t ] 

[ "t ' < (t'rdyO + 1)" ] 

[ "P_downS (s ' t')" ] % 

NRULE_AS SUM_TAC 

( "STABLB_TRUE_THEN_FALSE (bsig I_srdy_B e')(ti' + 1, t'rdyO)", 

{ BETA_RULE o ( REWRITB_ROLE [STABLE_TRUE_THBN_FALSB)baig; ESel ] ) ) ) 

THEN POP_ASStJM_LIST (MAP_BVERY (\thm. STRIP_ASStJMB_TAC thm)) 

THEN SPEC^ASSUM_TAC 

("It. (ti' + 1) <= t A t < t'rdyO ==> SND(I_srdy_B(e' t ) ) " , "t'-l") 
THEN IMP_RES_TAC (REWRITE_RULB [ADD1] LT_SUC_IMP_LB) 

THEN IMP_RBS_TAC (RIMP ONE_LESS_EQ) 

THEN ASSUME_TAC (SPECL t"tp' ttimeC";"l"] LBSS_EQ_ADD) 

THEN XMP_RES_TAC LESS_EQ_TRANS 

THEN IMP_RES_TAC ( REWRITE_RULB [PRE_SOBl] LE_IMP_PRE_LT ) 

THEN ASM_CASES_TAC "(ti' + 1) <= (t' - 1)" 

THENL [ 

% Subgoal 2. It t "(ti' + 1) <= (t' - 1)" ] % 

RBS_TAC 

THEN UNDISCH_TAC "P_downS (s' ( t ' 1 1 imeC ) ) " 

THEN SOBOOAL_THEN "t ' = (t'-l)+l" (\thm. PORE_ONCE_REWRITE_TAC (thm] ) 
THENL [ 

% Subgoal 2.1. It (New Subgoal) % 

IMP_RES_TAC (RIMP ONB_LESS_EQ) 

THEN IMP_RES_TAC LESS_EQ_LESS_TRANS 
THEN IMP_RKS_TAC LT_XMP_LE 

THEN IMP_RES_TAC ( SYM_RULB (SPECL ("t ' t timeC") "1"] SOB_ABD) ) 

) 

% Subgoal 2.1.2t (Continue) % 

IMP_RRS_TAC 

(SPECL ["a' t timoC->pc_atate" j "a ' t timeC->pc_env" ; "p' t timeC ->pc_out" ; 
"t'-l"] (OKN_ALL P_down_ISO) ) 

THEN ASM_REWRITE_TAC [ ] 

] 

I 

% Subgoal 2.2t ( "~<ti' + 1) <= (t' - 1)" ] % 

IMP_RES_TAC NOT_LESS_BQ_LBSS 

THEN IMP_RES_TAC (RBWRITR_RULB [ADD1] LT_SUC_IMP_LE ) 

THEN IMP_RES_TAC (SPECL ["ti ' +1"; "t ' t timeC"; "1"] LESS_EQ_MONO_SOB) 

THEN SDBOOAL_THBN 

"(tp'+l)-l=tp'" (Nthm. RDLE_ASSOM_TAC (RBWRITEJRULB [tbml ) ) 

THENL [ 

% Subgoal 2. 2. It (New Subgoal) % 

REWRITB_TAC [ADD_SOB] 

I 

% Subgoal 2.2.2t (Continue) % 

ONDISCH_TAC "P_downS (s' ( t ' 1 1 imeC ) ) " 

THEN SUBOOAL_THEN 

"t' = (t'-l)+l" (\thm. PORB_ONCB_RBWRITE_TAC [thm]) 

THENL [ 

% Subgoal 2. 2. 2. It (New Subgoal) % 

IMP_RBS_TAC (RIMP ONE_LESS_EQ) 

THEN IMP_RBS_TAC LESS_EQ_LESS_TRANS 
THEN IMP_RES_TAC LT_IMP_LR 

THEN IMP_RES_TAC (SYM_ROLE (SPECL ["t' ttimeC"; "1"] SDB_ADD) ) 

; 

% Subgoal 2.2.2.2t (Continue) % 

IMP_RES_TAC IBOS_TRANS_EXISTS 

THEN IMP_RES_TAC NBXT_IBUS_TRANS_IS_NTH 

THEN SUBOOAL_THEN 

"ti" ■ (ti' ttimeC)" 

(Nth m. RULB_ASSUM_TAC (REWRITE_RULB [thm])) 

THENL ( 

% Subgoal 2. 2. 2. 2. It (New Subgoal) % 

IMP_RES_TAC TRUE_EVBNT_TIMES_EQUAL 

; 

% Subgoal 2.2.2.2.2t (Continue) % 

REWRITB_AS StJM_TAC 

( "STABLE_PALSE_THBN_TROB ( ale_sig_ib p ' ) ( tp ' , ti ' ) " , 
[STABLB_FALSE_THBN_TROE] ) 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSOMB_TAC thm)) 
THEN IMP_RES_TAC NEM_STATB_PD_FALSB_RROM_TP ' _TO_TI ' 
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THEN NRULE_ASSUM_TAC 

( " ! ti ' . STABLB_FALSE(ale_sig_ib p') (tp',ti' - 1) ==» 
(It*, tp' <= t ' ==> t ' <= ti' ==> 

- New_S t at e_I a _PD a ' a ' t ' ) " , 

( (RBWRITBJRULE [STABLE_FALSE] ) o (SPEC "ti' itimeC") ) ) 

THEN ASM_CASES_TAC "tp' <= (ti' - 1)" 

THBNL [ 

% Subgoal 2. 2. 2. 2. 2. It t "tp' <= (ti' - 1)" ] % 

SCBOOALJTHEN 

"(It. tp' <= t /\ t <= (ti' - 1) ==> 

-alo_8ig_ib p' t)" ASSUME_TAC 
THBNL [ 

% Subgoal 2. 2. 2. 2. 2. 1.1: (Naw Subgoal) % 

REPEAT STRIP_TAC 
THEN SPBC_ASSUM_TAC 

("It. tp' <= t A t < ti' ==> 

-ale_sig_ib p' t", "t '' t timeC") 

THEN XMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN XMP_RES_TAC ( REWRITE_RULE [PRE_SUB1] LE_PRE_IMP_LT ) 
THEN RBS_TAC 

I 

% Subgoal 2 .2 .2 .2 .2 . 1.2 t (Continue) % 

ASM_RBWRITB _ASSUM_TAC 
("tp' <= (ti' - 1) /\ 

(It. tp' t /\ t <= (ti' - 1) ==> 

~ale_aig_ib p ' t) ==> (It', tp' <= t ' ==> t ' <= ti' 

==> -NaW_State_l8_PD s' a' t' )",[]) 

THEN SPBCJVSSOM_TAC 

("It', tp' <= t' ==> t' <= ti' =«> 

-New_State_Is_PD s' a' t'","t'-l") 

THEN RES_TAC 

THEN REWRITE_ASSUM_TAC 

("~New_State_Is_PD 8' e'(t' - 1) ", tNew_State_l8_PD] ) 
THEN JMP_RES_TAC 

(SPECL ("s' iti«8C->pc_8tate">"#' i t imaC - >pc_env" ; 

"p' itimeC->pc_out"»"t'-l"] 

(OEN_ALL P_down_XSO) ) 

THEN ASM_REWRITB_TAC U 


% Subgoal 2.2.2.2.2.2t [ "-tp' <= (ti' - 1)" 1 % 
IMP_RES_TAC NOT_LESS_EQ_LESS 

THEN IMP_RES_TAC (RBWRXTE_RULE £PRE_SUB1] PRE_LT_IMP_LE ) 
THEN SUBOOAL_THEN 

"tp' = (ti' t timeC) " 

(\thm. ROLE_ASSUM_TAC (REWRITE_ROLE [thm] ) ) 

THBNL [ 

% Subgoal 2 .2 .2 .2 .2 .2 . It (Naw Subgoal) % 

IMP_RBS__TAC LESS_EQUAL_ANTISYM 

; 

% Subgoal 2. 2. 2. 2. 2. 2. 2t (Continue) % 

SOBOOAL_THEN "(t'-l) = ti'" (\thm. REWRITE_TAC [thm]) 
THBNL [ 

% Subgoal 2 .2 .2 .2 .2 .2 .2 .It (Naw Subgoal) % 

IMP_RBS_TAC LBSS_EQOAL_ANTISYM 

; 

% Subgoal 2 .2 .2 .2 .2.2 .2 t (Continue) % 

XMP_RES_TAC IBUS_ALB_IMP_PA 
THEN RBHRITB_ASSOM_TAC 

("Naw_Stata_X8_PA s' a' ti [Naw_State_Is_PA] ) 
THEN ASSUMB_TAC 

(SPECL ("s' ttimeC->po_state"j"e' t timeC ->pc_env" ; 
*p' ttimeC->pc_out";"ti' ttimeC"] 

( OBN_ALL P_down_ISO) ) 

THEN RES_TAC 

THEN ASM_REWRITB_TAC 

[prove_constructors_distinct pf am_ty_Axiom] 

] 

] 

] 

] 
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] 

] 

] 

; 

% Subgoal 3t "P_dovmS (s ' (t 'rdyO + 1))" % 

IMP_RES_TAC NTH_TIME_TRUE_X_IMP_X 

THEN IMP_RBS_TAC NBW_STATE_PD_FROM_TI ' _TO_T ' SACK_1 
THEN NRtJLE_ASSUM_TAC 

( "STABLE_TRUE_THBN_FALSB (bslg I_srdy_B a'Xti' + l,t 'rdyO) ", 

( BETA_RULE o ( REWRITE_RULE [STABLE_TRUE_THBN_FALSEfbsig;BSel] ) ) ) 
THEN POP_ASSUM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC tbm))~ 

THEN SPBC_ASSOM_TAC 

("It', (ti' + 1) <= t' ==> t' <= t'rdyO ==> 

Naw_Stata_Is_PD s' s' t ' ", "t ' rdyO ttimeC") 

THEN ASSOME_TAC (SPEC "t ' rdyO t timeC" LESS_EQ_REFL ) 

THEN RBS_TAC 

THEN REWRITE_ASSUM_TAC ( "New_State_Is_PD s' e' t ' rdyO", [New_State_Is_PD] ) 
THEN IMP_RBS_TAC P_down_ISO 
THEN ASM_RBWRITB_TAC[] 

1 

);; 

let OFFSET_P_SIZE_STABLE_FROM_TP'_TO_T'RDYO * TAC_PROOF 

(([], 

"l (u' i timeC) 

(ptl iPTI) (s ttimeT->pt_state) (e ttimeT->pt_env) (p ttimeT->pt_out) 

(t itimaT) (s' itimeC->pc_stata) (a' i timaC->pc_env) (p' ttimeC->pe_out) 
(tp' ti' t'rdyO ttimeC) . 

(Standard_Assumps pti a apt s' a' p' tp' ti' /\ 

STABLB_TRUE_THBN_FALSB (bsig I_srdy_B a') (ti ' +1, t 'rdyO) /\ 

((tp'+u'+l) <= t'rdyO)) 

(P_sizeS (s' (tp'+u'+l) ) = SOBARRAY ( SND ( L_ad_inE (a' tp'))) (1,0))"), 
INDUCT_TAC 

THEN REPEAT STRIP_TAC 

THEN RU1B_ASSUM_TAC ( RBWRITE_RULE [ ADD1 ; ADD_CLAUSES ; AED_ASSOC ] ) 

THBNL [ 

% Subgoal It (Base Casa) % 

IMP_RBS_TAC RXPAND_STANDARD_ASSOMPS 

THEN IMP_RBS_TAC SACK_S IQ_FALSB_DURINO_DATA_0 

THEN IMP_RES_TAC P_LOAD_TRUE_THBN_STABLB_FAI,SE_FROM_TP '_TO_T ' SACK 
THEN NRULB_ASSOM_TAC 

( "TRUE_THEN_STABLB_FALSB ( \u ' . P_loadS (s' u ' ) ) ( tp ' , t ' rdyO ) " , 
(BETA_RULE o ( RBWRITB_RULB [ TROE_THEN_STABLE_FALSE ] ) ) ) 

THEN IMP_RBS_TAC P_aize_ISO 
THEN ASM_RBWRITE_TAC [ADD_CLAUSBS ] 

I 

% Subgoal 2t (Induction step) % 

ASSUMB_TAC (SPECL [" (tp' +u' ) +1"; "1"] LBSS_EQ_ADD ) 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 
THEN RBS_TAC 

THEN POP_ASSUM (\thm. ALL_TAC) 

THEN POP_ASSUM (\thm. ALL_TAC) 

THEN IMP_RES_TAC BXPAND_STANDARD_ASSUMPS 
THEN IMP_RBS_TAC SACK_SIO_FALSB_DURINO_DATA_0 

THEN IMP_RBS_TAC P_LOAD_TRUE_THBN_STABLB_FALSE_FROM_TP '_TO_T ' SACK 
THEN NRULB_ASSOM_TAC 

( "TRUB_THBN_STABLE_FALSE ( \u ' . P_loadS (s' u ' ) ) ( tp ' , t ' rdyO ) " , 
(BHTA_RULB o ( REWRITB_RULE [TRUE_THBN_STABLE_FALSE ] ) ) ) 

THEN POP_ASSOM_LIST (MAP_RVBRY (\thm. STRIP_ASSOMB_TAC thm) ) 

THEN SPEC^ASSUM_TAC 

("It. tp' < t /\ t <» t'rdyO mm> -P_loadS ( a ' t) ", " (tp'+u' ) +1") 

THEN ASSUME_TAC (SPECL ["tp' ttimeC") "u' ttimeC") LBSS_BQ_ADD ) 

THEN ASSUMB_TAC (RBWRXTEJRULE [ADD1] (SPEC "tp'+u'" LESS_SUC_REFL) ) 

THEN IMP_RES_TAC LBSS_BQ_LESS_TRANS 

THEN IMP_RES_TAC P_DOWN_STABLE_FALSE_THBN_TROE_FROM_TP '_TO_T 'RDYO 
THEN NRDLB_ASSUM_TAC 

("STABLE_FALSB_THBN_TROE(\u' . P_downS(s' u'))(tp' + 1, t'rdyO + 1)", 
(BBTA_RULE o ( REWRITE _RULE [ STABLE_FALSB_THEN_TRUE ] ) ) ) 

THEN POP_ASSOM_LIST (MAP_EVBRY (\tbjn. STRIP_ASSUMB_TAC thm)) 

THEN SPEC_ASSOM_TAC 

("It. (tp' +1) <- t /\ t < (t'rdyO + 1) ««> -P_downS(s' t)". 
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" (tp'+u')+l") 

THEN IMP.RES.TAC (REWRITE. RULE [AUDI] LE_IMP_LT_SUC) 

THEN IMP_RES_TAC 

(SPBCL ["tp' itimeC"/"tp'+U'";"l"] (RIMP LBSS_EQ_MONO_ADD_EQ) ) 

THEN RES.TAC 

THEN IMP.RES.TAC P.size.ISO 

THEN ASM_RBWRITE_TAC [ADD.CLAUSBS ; AUDI ; ADD.ASSOC } 

] 

)n 

let P.SIZE.STABLE.FROM.TP'.TO.T'RDYO a TAC.PROOF 

(([], 

"1 (t' itimaC) 

(pti iPTI) (s itimeT->pt_state) (a itimaT->pt_env) (p ! timeT->pt_out) 

(t itimeT) (s' ttimaC->po_stata) (a' ttimaC->pc_env) (p' t t imaC - >po_out ) 

(tp' ti' t'rdyO itimaC) . 

(Standard.Assumps pti s a p t s' a' p' tp' ti' /\ 

STABLB.TRUE.THBN.FALSE (bsig I_ardy_E a') ( t i ' +1, t ' rdyO ) /\ 

((tp'+l) <= t') /\ 

(t' <w t'rdyO) ) 

aa> 

(P.sizeS (s' t') = SUBARRAY ( SND ( L_ad_inE (a' tp'))) (1,0))"), 

REPEAT STRIP.TAC 

THEN XMP_.RES_.TAC (SPEC "t'-tp'+l" OFFSET_P_SIZB_STABLE_FROM_TP'_TO_T'RDYO) 

THEN POP.ASSUM ( \thm. ALL.TAC) 

THEN POP.ASSUM (Sthm. ALL.TAC) 

THEN SPBCL_ASSUM_TAC 

("It' tp'". (tp' + ( ( t ' - (tp'" + 1)) + 1)) <= t'rdyO =■>• 

(P.sizeS (a ' (tp' + ( ( t ' - (tp'" +1)) +1))) » 

SUBARRAY ( SND ( L_ad_inE ( a ' tp' ) ) ) (1,0) )", 

["t' itimaC";"tp' itimaC"] ) 

THEN SUBOOAL.THBN 

"(tp' + { (t ' - (tp' + 1)) + 1)) = t'" 

(\thm. RULB_ASSUM_TAC (RBWRITE.RULE [thm] ) ) 

THENL [ 

% Subgoal li -New subgoal- "tp' + ( ( t ' - (tp' + 1)) + 1) = t'" % 

REWRITE.TAC [SYM.RULE (ASSOC_SUB_SUBl) ) 

THEN ASSUME.TAC (RBWRITE.RULE [] (RBDUCB.CONV "l<al") ) 

THEN IMP_RBS_TAC SUC_LE_IMP_LE 

THEN SUBOOAL.THBN "1 <a (t' - tp')" ASSUME.TAC 
THENL [ 

% Subgoal l.lr "1 <a (t' - tp')" 

[ "(tp' + 1) <a t'" ] % 

REWRITE.TAC 

[SYM.RULE ( SPBCL ["1"; "t ' -tp ' "; "tp ' 1 timaC"] LESS_BQ_MONO_ADD_EQ ) ] 

THEN ASSUME.TAC (SPEC "tp' itimaC" LESS.EQ.REFL) 

THEN IMP.RB S.TAC 

(SPBCL t"t‘ itimaC";"tp' itimaC";"tp' itimaC"] ASSOC.SUB.ADD1 ) THEN 

ASM.RBWRITB.TAC [SUB.EQUAL.O J ADD.CLAUSBS] 

THEN PURE.ONCE.RBWRITE.TAC [ADD.SYM] 

THEN ASM.REWRXTB.TAC [] 

J 

% Subgoal 1.2 i [ "1 <a (t' - tp')" ] % 

IMP.RES_.TAC (SPBCL ("t ' -tp' "; "1"; "1"] ASSOC.SUB.ADD1 ) 

THEN ASM.RBWRITB.TAC [SUB.EQUAL.O j ADD.CLAUSBS ] 

THEN PURE.ONCE.RBWRITE.TAC [ADD.SYM] 

THBN ASSUME.TAC (SPEC "tp'itimeC" LESS.EQ.REFL) 

THEN IMP.RB S.TAC 

(SPBCL ["t' itimaC"»"tp' itimeC";"tp' itimaC"] ASS0C.SUB.ADD1) 

THEN ASM.RBWRITB.TAC [SUB.EQUAL.O /ADD.CLAUSBS] 

] 

) 

% Subgoal 2 % 

RES.TAC 

] 

);; 

% This should hava been proven above. % 
let P_SIZE.STABLE.AT_T ' RDY0.PLUS.1 = TAC.PROOF 
(([], 

"1 (pti t PTI) (s itimaT->pt_stata) (a itimeT->pt_env) (p t timeT->pt_out ) 

(t ttimeT) (s' itimaC->pc_stata) (a' 1 1 imaC - >pc_env ) (p' i timaC ->pe_out) 
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(tp' ti' t'rdyO ttimoC) . 

( Standard_Assumps pti a e p t a' o' p' tp' ti' A 
STABIiB_TRUE_THBN_FALSB (baig I_srdy_E o') (t i ' +1, t 'rdyO) ) 

(P_aizeS (»' (t'rdyO + 1) ) = SOBARRAY ( SND ( L_ad_inE (o' tp'))) (1,0))"), 
REPEAT STRIP_TAC 

THEN IMP_RBS_TAC BXPAND_STANDARD_ASSOMPS 
THEN IMP_HES_TAC P_«izo_ISO 
THEN ASM_REWRITB_TAC [ ] 

THEN IMP_RBS_TAC SACK_SIQ_FALSB_DURINQ_DATA_0 

THEN XMP_RBS_TAC P_LOAD_TROB_THEN_STABLE_FALSE_PROM_TP ' _TO_T ' SACK 
THEN NRULB_ASSUM_TAC 

( "TROE_THEN_STABLE_FALSE ( \u ' . P_loadS (a ' u' ) ) (tp' , t 'rdyO) ", 
(BETA_RULE o ( RBWRITE_ROLB [TRUE_THEN_STABLE_FALSB] ) ) ) 

THEN IMP_RBS_TAC P_DOWN_STABLE_FALSE_THEN_TRUB_FROM_TP ' _TO_T ' RDYO 
THEN NRULB_ASSUM_TAC 

( "STABLE_FALSE_THBN_TRUE ( \u ' . P_downS(a' u'))(tp' + 1, t'rdyO + 1)", 
(BBTAJRULB o ( REWRITE_RULE [STABLE_FALSE_THEN_TROB] ) ) ) 

THEN IMP_RBS_TAC P_SXZB_STABLB_FROM_TP'_TO_T'RDYO 
THEN SPEC_ASSOM_TAC 

("it', (tp' + 1) <= t' t' <= t'rdyO «=> 

(P_aizoS (a' t') a SUBARRAY (SND (L_ad_inE (o' tp' ) ) ) (1, 0) ) ", 

"t ' rdyO : timoC" ) 

THEN POP_ASSOM_LIST (MAP_BVBRY (\thm. STRIP_ASSUMB_TAC thm) ) 

THEN SPBC_ASSOM_TAC 

("it. (tp' + 1) <a t A t < (t'rdyO + 1) ==> ~P_downS(a' t)", 

"t ' rdyO i t imoc " ) 

THEN SPBC_ASSOM_TAC 

("it. tp' < t A t <a t'rdyO ==> ~P_loadS(a' t) ", "t 'rdyOttimoC") 

THEN ASSUMB_TAC (SPEC "t ' rdyO t timoC" LESS_EQ_REFL ) 

THEN ASSUME_TAC (SPEC "t ' rdyO I timoC" ( REWRITE_RULE [AUDI] LESS_SUC_RBFL ) ) 
THEN IMP_RES_TAC NTH_TRANS_CAUSAL 

THEN ASSDME_TAC (SPEC "ti'itimoC" ( REWRITE_RULE [ADD1] LESS_SOC_REPL) ) 

THEN REWRXTE_ASSOM_TAC 

( "STABLE_TRUE_THBN_FALSE (baig I_ardy_B o')(ti' + 1, t'rdyO)", 
[STABLB_TROE_THEN_FAI,SE] ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN IMP_RBS_TAC LBSS_BQ_LESS_TRANS 
THEN IMP_RBS_TAC LBSS_LESS_BQ_TRANS 

THEN IMP_RES_TAC ( REWRITB_RULE [ADD1] LT_IMP_SUC_LB ) 

THEN RES_TAC 

THEN ASM_RBWRITB_TAC[] 

)l! 

lot I_LAST_FOR_BLOCK_SIZE_0 = TAC_PROOF 

(([], 

"1 (pti t PTI) (a itimoT->pt_atato) (o itimoT->pt_onv) (p itimoT->pt_out) 

(t itimoT) (a' itimoC->pc_atato) (o' s timoC ->pc_onv) (p' itimoc->pc_out) 
(tp' ti' t'rdyO : timoC) . 

(Standard_Aaaumpa pti a opt a' o' p' tp' ti' A 
( SUBARRAY ( SND ( L_ad_inE ( O ' tp')))(l,0) * WORDN 1 0) A 
STABLE_TROB_THBN_FALSB (baig X_ardy_E o') (ti ' +1, t 'rdyO ) ) ==> 

STABLE_LO (baig l_last_0 p') (ti'+l, t 'rdyO ) ") , 

RBWRITE_TAC [ba ig ) BSol ; STABLB_LO ] 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC (REWRITE_RDLE [baig;BSel] IB_READY_ASSUMPS ) 

THBNL [ 

% Subgoal It "(ti' + 1) <= t'rdyO" % 

RBWRITE_ASSUM_TAC 

( "STABLE_TROE_THBN_FALSE ( \t . SND (I_ardy_E (e ' t)))(ti' + 1, t'rdyO)", 

[ STABLE_TROE_THEN_FALSE ] ) 

THEN ASM_REWRITE_TAC [] 

I 

% Subgoal 2 1 

"(\t. SND(I_laet_0(p' t)))t' = LO" 

[ "STABLB_TRUE_THEN_FALSE ( \t . SND ( X_ardy_E ( a ' t ) ) ) ( ti ' + 1, t'rdyO)" ] 

[ "(ti' + 1) <= t'" ] 

[ *t' <= t'rdyO" ] % 

BETA_TAC 

THEN XHF_RSS_TAC BXPAND_STANDARD_ASSUMPS 

THEN IMP_RES_TAC ( REWRI TB_ROLB [baig;BSol] SACK_SXO_FALSB_DURINO_DATA_0) 
THEN IMP_RES_TAC 
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(RBWRITEJRULE [bsig;BSel] P_SIZE_STABLE_FROM_TP ' _TO_T ' RDYO ) 

THEN IMP_RES_TAC NTH_TRANS_CAUSAL 
THEN IMP_RE S_TAC 

(SPECL ["tp' i timeC") "ti' : timeC"; "1"] (RIMP LESS_EQ_MONO_ADD_BQ ) ) 
THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN IMP_RES_TAC 

(REWRITB_ROLE 

[bs ig; BSel ] P_DOWN_STABLE_FALSE_THBN_TROB_FROM_TP ' _TO_T ' RDYO ) 
THEN NRULB_ASSUM_TAC 

( "STABLE_FALSE_THEN_TRUB ( \u ' . P_downS(s' u'))(tp' + l,t'rdyO + 1) 
( BETA_RHLE o ( REWRITE_RULE [STABLB_FALSE_THEN_TRDE] ) f) 

THEN POP_ASSUM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPBC_ASSUM_ TAC 

("It. (tp' +1) <> t /\ t < (t'rdyO + 1) *=> ~P_downS ( b ' t)", 

"t' itimoC") 

THEN IMP_RES_TAC (REWRITE_RULE [ADD1] LE_IMP_LT_SUC ) 

THEN IMP_RES_TAC NTH_TIMB_TRUB_X_IMP_X 

THEN IMP_RES_TAC NEW_STATB_PD_FROM_TI ' _TO_T ' SACK_1 

THEN RBS_TAC 

THEN RBWRITE_ASSOM_TAC ( "New_State_Is_PD s' o' t [New_State_Is_PD] ) 
THEN IMP_RES_TAC I_laSt_ISO 
THEN ASM_REWRITE_TAC 

[WIRE ; SYM_RULE (provo_constructors_distinct pf sm_ty_Axiom) ] 

] 

)ll 

lot I_LAST_STABLB_HI_FROM_TI ' _TO_T ' RDYO •= TAC_PROOF 

( ( M, 

"1 (pti »PTI) (s itlmoT->pt_stato) (o !timoT->pt_onv) (p stimoT->pt_out) 

(t itlmoT) (s' itlmoC->pc_stato) (o' : timeC ->pc_onv) (p' : t imoC - >pc_out ) 
(tp' tl' t'rdyO ttlmoC) . 

( St andard_As sumps pti s o p t s' o' p' tp' ti' /\ 

(VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( a ' tp ' ) ) ) ( 1 , 0 ) ) > 0) /\ 
STABLE_TRDE_THEN_FALSE (bsig I_srdy_E o') (ti'+l, t'rdyO) ) ==> 

STABLB_HI (bsig l_last_0 p') (ti '+1, t 'rdyO) ") , 

REWRITE_TAC [bsig; BSol ; STABLB_HI ] 

THEN REPEAT STRIP_TAC 

THEN IMP_RBS_TAC (REWRITB_RULB [bsig;BSol] IB_READY_ASSOMPS ) 

THENL [ 

% Subgoal li "(ti' + 1) <= t'rdyO" % 

REWRITE_ASSOM_TAC 

("STABLB_TROB_THEN_FALSE(\t. SND (I_srdy_E (e ' t)))(ti' + l.t'rdyO) ", 

[ STABLE_TROE_THEN_FALSE ] ) 

THEN ASM_REWRITE_TAC[] 

; 

% Subgoal 2i 

"(\t. SND ( l_last_0 (p ' t)))t' = HI" 

[ "STABLE_TRUE_THEN_FALSE ( \t . SND (I_srdy_B (o ' t ) ) ) ( ti ' + 1, t'rdyO)" ] 

[ "(ti' + 1) <» t'" ] 

[ "t' <= t'rdyO" ] % 

BETA_TAC 

THEN IHP_RBS_TAC BXPAND_STANDARD_ASSUMPS 

THEN IMP_RES_TAC (REWRITE_RDLE tbsigjBSol] SACK_SIO_FALSB_DORINO_DATA_0 ) 
THEN IMP_RBS_TAC NTH_TRANS_C AU SAL 
THEN POP_ASSUM (\thm. ALL„TAC ) 

THEN IMP_RES_TAC 

(SPECL ["tp' :timoC"»"ti' itimoC";"l"] (RIMP LESS_EQ_MONO_ADD_EQ) ) 
THEN IMP_RBS_TAC LESS_EQ_TRANS 
THEN IMP_RBS_TAC 

(REWRITB_RDLE [bsig; BSol} P_SIZE_STABLE_FROM_TP'_TO_T'RDY0) 

THEN IMP_RES_TAC 

( RBWRITB_ROLE 

[bsig; BSel] P_DOWN_STABLE_FALSE_THEN_TROE_FROM_TP '_TO_T 'RDYO ) 
THEN NROLE_ASSOM_TAC 

( "STABLE_FALSE_THEN_TROE ( \u ' . P_dovmS(s' U'))(tp' + 1, t'rdyO + 1) 
(BETA_RULE O (REWRITE_RDLE [STABLB_FALSE_THBN_TRUE] ) ) ) 

THEN POP_ASStJM_LIST (MAP_EVERY (\tbm. STRIP_ASSOME_TAC thm)) 

THEN SPEC_ASSUM_TAC 

("It. (tp' +1) <= t /\ t < (t'rdyO + 1) ==> ~P_dovmS(s' t)", 

"t' itimoC") 

THEN IMP_RES_TAC ( REWRITE_RULE [ADD1] LE_IMP_LT_SUC ) 

THEN IMP_RBS_TAC NTH_TIME_TROB_X_IMP_X 


148 



THEN IMP_RBS_TAC NBW_STATB_PD_FROM_TI ' _TO_T ' SACR_1 
THEN RBS_TAC 

THEN RBWRITB_ASSUM_TAC ( "New_State_Is_PD s ' e' t ' ", (New_State_Is_PD) ) 

THEN IMP_RES_TAC I_last_ISO 
THEN ASM_RBWRITB_TAC 

[WIRBi SYM_RULE (prove_constructors_distinct pfsm_ty_Axiom) ] 

THEN IMP_RES_TAC OT_XMP_NOT_EQ 
THEN ASSOME_TAC 

(SPBCL 1"1"I "SUBARRAY ( SND ( L_ad_inB ( e ' (tp' i timeC) ) ) ) ( 1, 0) "] MAXWORD) 
THEN ROLB_ASSOM_TAC REDUCB_RULE 

THEN XMP_RBS_TAC (RBWRITE_RULE [PRB_SUB1] XiT_IMP_LE_PRE ) 

THEN RULB_ASSUM_TAC REDUCE_ROLE 

THBN ASSUMB_TAC ( REWRITE_ROLE [] (REDUCB_CONV "0<=3")) 

THEN IMP_RBS_TAC WORDN_l_NOT_EQUAL 

THEN ASSUME_TAC (SPEC "SND (L_ad_inB (a ' (tp' itimeC) ) ) " SIZE_SOBARRAY_l) 

THEN IMP_RES_TAC 

(REDUCE_ROLE 

(SPEC "SUBARRAY (SND ( L_ad_inE ( e ' (tp' ! timeC) )))( 1, 0) " 
WORDN_VAL_IDBNT_l ) ) 

THEN ASM_REWRITR_ASSUM_TAC 

("-(WORDN 1(VAL 1 (SUBARRAY (SND (L_ad_inE (e ' (tp' stimeC) ) ) ) (1, 0) ) ) = 
WORDN 1 0)", [] ) 

THEN ASM_REWRITE_TAC [] 

] 

);; 

let I_SRDY_STABLB_TRUB_THBN_FAI.SE_FROM_T ' RDY0_TO_T ' RDY1 = TAC_PROOF 

<([), 

"1 (s itimeT->pt_state) (e ttimeT->pt_env) (p i timeT->pt_out) 

(t itimeT) (s' i timeC->pc_atate) (e' itimeC->pc_onv) (p' i timeC ->pc_out) 
(tp' ti' t'rdyO itimeC) . 

(Standard_Aseumpe pti a e p t s' e' p' tp' ti' /\ 
nth_time_FALSB 0 (bsig I_srdy_E e') (ti'+l) t'rdyO /\ 

VAL 1 (SUBARRAY (SND (L_ad_inK(e ' tp')))(l,0)) > 0) *=> 

(Tt'rdyl. STABLK_TRUE_THBN_FALSE (bsifl I_srdy„E e ' ) ( t ' rdyO+1, t ' rdyl ) ) ") , 
REPEAT STRIP_TAC 

THEN IMP_RBS_TAC EXPAND_STANDARD_ASSUMPS 
THEN IMP_RBS_TAC IB_READY_ASSUMPS 
THEN NRULE_ASSUM_TAC 

( " !u ' • rdy_a iff _ib e' p' u' »■•> 

(?v'. STABLB_TRUB_THEN_FALSE (bsig I_srdy_B e')(u' + 1,V'))", 
(BETA_RULE o 

(SPEC "t'rdyO ItimeC") o ( REWRITB_RULE [rdy_sig_ibjBSel] ) ) ) 

THEN IMP_RES_TAC NTH_TIME_FALSE_X_IMP_NOT_X 
THEN NRULE_ASSUM_TAC 

("-bsig l_srdy_B •' t ' rdyO " , ( BETA_RULE o (RBWRITB_RULB [bsigjBSel] ) ) ) 
THEN REWRXTE_ASSUM_TAC 

("NTH_TIME_FAI.SE 0(bsig I_srdy_E e')(ti' + 1) t ' rdyO", [NTH_TIME_FALSB ] ) 
THEN IMF_RES_TAC I_IAST_STABLB_HI_FROM_TI ' _TO_T ' RDYO 
THEN RBWRITE_ASSUM_TAC 

( "STABLE_HI (bsig l_last_0 p')(ti' + 1, t 'rdyO) ", [STABLB_HX>bsig;BSel] ) 
THEN POP_ASSUM_DIST (MAP_EVERY (\thm. STRXP_ASSUMB_TAC thm) ) 

THBN NRULB_ASSUM_TAC 

("It. (ti' +1) <» t /\ t <= t'rdyO ==> 

((\t. SND(X_last_0(p' t)))t = HI)", 

( BETA_RULB o (SPEC "t ' rdyO i t imeC " ) ) ) 

THBN ASSUME_TAC (SPEC "t ' rdyO : t imeC " LESS_EQ_RBFL) 

THBN RBS_TAC 
THBN RES_TAC 

THBN BXISTS_TAC "v' itimeC" 

THEN ASM_REWRITB_TAC [] 

) I ) 

let I_SRDY_TRUE_IMP_SACK_SIO_NOT_TRUB = TAC_PROOF 

(([], 

"I (pti iPTI) (s itimeT->pt_state) (e itimeT->pt_env) (p itimeT->pt_out) 

(t ttimeT) (s' itimeC->pc_state) (e' i timeC ->pc_env) (p' : t imeC - >pc_out ) 
(tp' ti' t' u' itimeC) . 

(Standard_Assumps pti s e p t s' e' p' tp' ti' /\ 

STABLE_TRUE_THEN_FALSB (\t. SND (I_srdy_E (e' t)))(t'+l,u') /\ 

STABLE_FALSE (Sack_Sig_Xs_TRUB 8' o') (t',t') /\ 

1 <= u ' ) -«> 
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STABLB_FALSE ( Sack_Sig_Is_TRUE s' o') ( t ' , u ' - 1 ) " ) , 

REWRITB_TAC [ STABLE_TRUB_THBN_FALSB ; STABLEFALSE ; Sack_Sig_IS_TRUE ] 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THENL [ 

% Subgoal 1: "t' <= (u' - 1)" % 

IMP_RES_TAC (SPBCL ["t'+l";''U' : timoC" ; "1"] LBSS_EQ_MONO_SUB ) 

THEN RULE_ASSUM_TAC (REWRITE_RULE [SPBCL ["t ': timeC" ; "1"] ADD_SUB] ) 

THEN ASM_REWRITB_TAC [ ] 

; 

% Subgoal 2: [ " -SND ( I_srdy_B ( e ' t"))" ] % 

SPBC_ASSDM_TAC 

("!t. (t' +1) <■ t /\ t < u' ■■> SND(l_srdy_B(e' t) ) '', "t " itlmoC") 
THEN XMP_RES_TAC (RIMP ONE_LESS_EQ ) 

THEN XMP_RES_TAC ( RBWRITB_RULE [PRB_SUB1] LE_PRE_IMP_LT) 

THEN ASM_CASES_TAC " ( t ' +1 ) <=t " " 

THENL [ 

% Subgoal 2.1: [ "(t' + 1) <= t'"' ] % 

RES_TAC 
THEN RBS_TAC 

; 

% Subgoal 2.2: [ "~(t' + 1) < = t ' ' " ] % 

IMP_RES_TAC NOT_LESS_BQ_LESS 

THEN IMP_RES_TAC (REWRITE_RULB [ADD1] LT_SUC_IMP_LB ) 

THEN SUBOOAL_THEN 

"t" « (t': timoC)" (\thm. ROLE_ASSUM_TAC ( REWRITE_RULE [thm] ) ) 

THENL [ 

% Subgoal 2.2.1: (New subgoal) % 

XMP_RE S_TAC LESS_BQDAL_ANTISYM 
I 

% Subgoal 2.2.2: (Continue) % 

NRULE_ASSUM_TAC 

("!t. t' <■ t /\ t <= t' ==> 

-( (P_sizeS(s' t) » (P_downS (s ' t) => WORDN 1 1 | WORDN 10)) /\ 
rdy_E(e' t)) /\ New_State_Is_PD s' e' t)", 

( (REWRITE_ROLE [SPEC "t ' : timeC" LBSS_EQ_REFL; 

DE_MORQAN_THM] ) o (SPEC "t ': timeC") ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASStJME_TAC thm)) 

THEN RES_TAC 

] 

] 

] 

) I) 

let I_LAST_HI_XMP_SACK_SIO_NOT_TROE = TAC_PROOF 

(([], 

"! (pti :PTI) (s :timeT->pt_state) (e :timeT->pt_env) (p :timeT->pt_out) 

(t itimeT) (s' :timeC->pc_state) (e' : timeC ->pc_env) (p' :timeC->pe_out) 
(tp' ti' t' : timeC) . 

(Standard_Assumps pti s ept s' e' p' tp' ti' /\ 

( SND ( l_last_0 (p' t ' ) ) -HI)) ==> 

- Saok_S ig_I s_TRUE s' e' t'"), 

REMRITE_TAC [Saok_Sig_lS_TRUE] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THEN XMP_RES_TAC BXPAND_STANDARD_ASSUHFS 

THEN UND1SCH_TAC "SND(X_last_0(p' (t': timeC))) = HI" 

THEN IMP_RBS_TAC I_last_ISO 
THEN ASM_RBWRITB_TAC [WIRE] 

THEN COND_CASES_TAC 

THEN ASM_RBWRITE_TAC [SYM_RULE (prove_oonstructors_distinct wire) ] 

)i; 

let SACK_SIO_FALSE_DURINO_DATA_0_1 = TAC_PROOF 

( ( []. 

"1 (pti :PTI) (s :timeT->pt_state) (e : timeT->pt_env) (p :timeT->pt_out) 

(t itimeT) (s' :timeC->pc_state) (e' : timeC ->pe_env) (p' : timeC ->pc_out) 
(ti' t'sack t'rdyO :timeC) . 

(Standard_Assumps pti s e p t s' e' p' tp' ti' /\ 

NTH_TIME_PALSE 0 (bsig I_srdy_E e') (ti'+l) t'rdyO A 

VAL 1 (SUBARRAY (SND (L_ad_inB(e< tp')))(l,0)) > 0 /\ 
STABLE_TRUE_THEN_FALSE (bsig I_srdy_E e') (t ' rdyO+1, t ' rdyl) ) =«> 


-SND(I_s- 
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STABLE-FALSB (Sack-Sig_ls_TRUE s' e>) ( ti ' , t ' rdyl-1) ") , 

REWRITE_TAC [baig;BSel] 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC BXPAND_STANDARD_ASSUMPS 
THEN XMP_RES_TAC 

(REWRITE-RULE [bsig»BSel] 

I_SRDY_STABLE_TRUB_THEN_FAIiSE_FROM_T ' RDYO_TO_T ' RDY1 ) 
THEN RBWRITB_ASSUM_TAC 

("NTH_TIMB_FALSE 0(\t. SND (I_ardy_E (e ' t)))(ti' + Dt'rdyO", 
[NTH_TXME_FALSB] ) 

THEN IMP_RES_TAC (REWRITE_RULE [bsigjBSel] SACK_SIG_FALSE_DURINGt_DATA_0 ) 
THEN IMP_.RBS_.TAC 

( RBWRITE_RULE [bsig;BSel] I_LAST_STABLE_HI_FROM_TI '_TO_T ' RDYO ) 

THEN SUBQOAL-THEN 

"STABLE-FALSE ( Sack_Sig_Is_TRUB s' e') (t 'rdyO, t 'rdyO ) " ASSUME_TAC 

THENL [ 

% Subgoal 1: (New Subgoal) % 

REWRITE_TAC [STABLE_FALSE] 

THEN BETA_TAC 

THEN ASSUME_TAC (SPEC "t ' rdyO ! t imeC " LESS_EQ_REFL) 

THEN ASM_HEWRITE_TAC [ ] 

THEN REPEAT STRIP_TAC 
THEN SUBGOAL— THEN 

"t' > (t'rdyOitimeC)" (\thm. RULE_ASSUM_TAC (REWRITE_RULE [thm] ) ) 

THENL [ 

% Subgoal l.lt (New Subgoal) % 

IMP_RES_TAC LESS_EQUAL_ANTISYM 
I 

% Subgoal 1.2i (Continue) % 

NROLE_ASSOM_TAC 

( "STABLB_HX ( \ t * timeC . SND ( l_last_0 (p ' t)))(ti' + l.t'rdyO)", 
(BETA_RULE o (RBWRITE_RULE [STABLE_HI] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVBRY (\thm. STRIP_ASSDME_TAC thm)) 

THEN SPEC_ASSDM_TAC 

("It. (ti'+l)<*t /\ to=t 'rdyO (SND(X_last_0(p' t))«HI)", 

"t'rdyOitimeC") 

THEN RBS_TAC 

THEN IMP_RES_TAC I_LAST_HI_XMP_SACK_SIO_NOT_TRUB 


% Subgoal 2: (Continue) % 

SUBOOAL_THEN "1 <= t'rdyl" ASSUMB_TAC 
THENL [ 

% Subgoal 2. It (New Subgoal) % 

IMP_RES_TAC (RIMP ONB_LESS_BQ) 

THEN REWRITE_ASSDM_TAC 

("STABLE_TROE_THEN_FALSE(\t. SND (I_srdy_B (e ' t ) ) ) (ti ' +1, t ' rdyO) ", 
[STABLE_TRUB_THBN_FALSB] ) 

THEN REWRITE_ASSUM_TAC 

( "STABLE_TROE_THEN_FALSE ( \t . SND ( I_srdy_E ( e ' t ) ) ) 

(t 'rdyO+1, t'rdyl) ", [ STABLB_TRUB_ THEN-FALSE ] ) 

THEN POP_ASSUM_LIST ( MAP _E VERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN ASSUME_TAC (SPECL ["ti ': timeC"; "1"] LESS_EQ_ADD ) 

THEN ASSOME_TAC (SPECL [ "t ' rdyO t timeC" ; "1" ] LESS_EQ_ADD) 

THEN IMP_RBS_TAC LBSS_EQ_TRANS 
I 

% Subgoal 2.2t (Continue) % 

IMP_RES_TAC I_SRDY_TRDE_IMP_SACK_SIO_NOT_TRUE 
THEN SUBQOAL_THEN 

"(ti' <=■ (t' rdyl-1) ) /\ 

(t'rdyO <= (t 'rdyO-1) +1) " 

STRIP_ASSCMB_TAC 

THENL [ 

% Subgoal 2. 2. It (New subgoal) % 

REWRITE_ASSUM_TAC 

( "STABLE-FALSE (Sack_Sig_Is_TRUB s' e ' ) (ti ' , t ' rdyO - 1)", 
[STABLE_FALSE] ) 

THEN RBWRITE-ASSOM-TAC 

( "STABLE— TRUE— THEN— FALSE ( \t . SND ( X_srdy_E ( a ' t ) ) ) 

(t'rdyO + l,t'rdyl)", [STABLE— TRUE— THEN— FALSE] ) 

THEN POP— ASSUM— LIST (MAP— EVERY (\thm. STRIP-ASSUMB-TAC thm)) 

THEN IMP— RES— TAC 
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(SPECL ["t 'rdyO+1"; "t 'rdylt timeC"; "1"] LESS_EQ_MONO_SUB) 

THEN RBWRITB_ASSUM_TAC 

("((t'rdyO + 1} - 1) <« (t'rdyl - 1) ", [ADD_SUB] ) 

THEM IMP_RES_TAC (RXMP OME_LESS_EQ ) 

THEN ASSOME_TAC (SPECL t "t ' rdyO t timeC" ; "1" ] SUB_LBSS_EQ) 

THEN XMP_HES_TAC LBSS_BQ_TRANS 

THEN IMP_RES_TAC (SPECL ["t ' rdyO ! timeC" ; "1"] SUB_ADD) 

THEN IMP_RES_TAC 

(SPECL ("ti '+1"> "t'rdyO i timeC"; "1"] LESS_BQ_MONO_SUB) 

THEN RBWRITE_ASSUM_TAC 

("((ti' + 1) - 1) <= (t'rdyO - 1) ", [ADD_SUB] ) 

THEN IMP_RES_TAC LESS_EQ_TRANS 

THEN ASSUME_TAC (SPEC "t 'rdyO 1 timeC" LESS_EQ_RBFL) 

THEN ASM_HEWRITE_TAC [ ] 

> 

% Subgoal 2.2.2; (Continue) % 

IMP_RES_TAC SUP_INTERVAL_STABLE_FALSE 
THEN ASM_REWRITE_TAC [ ] 

] 

] 

] 

) J» 

let P_DOWN_TRUE_THBN_STABLB_FALSE_FROM_T'RDYO_TO_T'RDY1 = TAC_PROOF 

(([], 

"! (pti tPTI) (s ! timeT->pt_state) (e : timeT->pt_env) (p ttimeT->pt_out) 

(t itimeT) («' itimeC->-pe_state) (e' itimeC->po_env) (p' itimeC->pc_out) 
(tp' ti' t'rdyO t'rdyl t timeC) . 

(Standard_As sumps pti s e p t s' e' p' tp' ti' /\ 

NTH_TIMB_FALSB 0 (bsig X_srdy_E e')(ti' + 1) t'rdyO /\ 

STABLE_TRDE_THEN_FALSB (bsig I_srdy_B e') (t'rdyO + 1, t'rdyl) /\ 

(VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( e ' tp' ) ) ) (1,0) ) ) > 0) ==> 

TRUB_THBN_STABLE_FALSE ( \u ' . P_downS(s' u')) (t'rdyO + 1, t'rdyl)"), 
RBWRITE_TAC [TROB_THBN_STABLB_FALSE] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THENL [ 

% Subgoal 1: "(t'rdyO + 1) <= t'rdyl" % 

REWRITB_ASSUM_TAC 

( "STABLE_TROE_THBN_FALSE (bsig I_srdy_E e') (t'rdyO + 1, t'rdyl)", 

[ STABLE_TROB_THEN_FALSE ] ) 

THEN POP_ASStJM_LIST ( MAP _E VERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN ASM_REWRXTE_TAC[] 

I 

% Subgoal 2: "P_downS(s ' (t 'rdyO + 1))" % 

REWRITE _jASSUM_TAC 

( "NTH_TXME_FALSE 0 (bsig I_srdy_E e')(ti' + 1) t 'rdyO", (NTH_TIMB_FALSE) ) 
THEN POP_ASSOH_LIST ( MAP _B VERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN IMP_RES_TAC P_DOWN_STABLE_FALSE_THEN_TRUE_FROM_TP ' _TO_T ' RDYO 
THEN NRULE_ASSUM_TAC 

( "STABLE_FALSE_THEN_TRUE ( \u ' . P_downS(s' U'))(tp' + 1, t'rdyO + 1)", 
(BBTA_RULE o (RBWRITB_RULE [STABLE_FALSE_THEN_TROB] ) ) ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSOME_TAC thm)) 

THEN ASM_RBWRXTE_TAC [ J 
I 

% Subgoal 3i [ "(t'rdyO + 1) < t'" ] 

[ "t ' <= t'rdyl" J 
t "P_downS (s ' t')" ] % 

UNDISCH_TAC "P_dovmS (s' ( t ' : t imeC ) ) " 

THEN IMP_RES_TAC EXPAND_STANDARD_ASSUMPS 

THEN SOBOOAL_THEN "t' = (t'-l)+l" (\thm. PORE_ONCE_REWRITE_TAC [thm]) 
THENL [ 

% Subgoal 3. It (New Subgoal) % 

IMP_RBS_TAC (RXMP ONB_LBSS_EQ ) 

THEN RBWRXTB_ASSDM_TAC 

( "NTH_TIME_FALSE 0 (bsig I_srdy_B e')(ti' + Dt'rdyO", 
[NTH_TIME_FALSB ] ) 

THEN RBWRITR_ASSUM_TAC 

( "STABLE_TRUE_THEN_FALSE (bsig I_srdy_E e')(ti' + 1, t'rdyO)", 

[ STABLE_TRtJE_THEN_FALSB ] ) 

THEN POP _ASSOM_LIST (MAP_EVBRY (\thm. STRIP_ASSOME_TAC thm)) 

THEN ASSDME_TAC (SPECL ["ti' : timeC"; "1") LESS_BQ_ADD) 
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THEN ASSUME_TAC (SPECL [ "t ' rdyO : timeC" ; "1") LESS_EQ_ADD) 

THEN IMP_RES_TAC LT_IMP_LB 

THEN IMP_RES_TAC LBSS_BQ_ TRANS 

THEN IMP_RBS_TAC LBSS_EQ_ TRANS 

THEN IMP_RES_TAC (SPECL [ "t ' 1 timeC" ; "1"] ( S YM_RULE SOB_ADD) ) 

; 

% Subgoal 3.2: (Continual % 

IMP_RBS_TAC P_down_ISO 
THEN ASM_RBWRITE„TAC [ ] 

THEN NRULB_ASSOM„TAC 

( "STABLE_TRUB_THBN_FALSE (bsig I_srdy_B a' ) (t 'rdyO + ~ 1 , t 'rdyl) ", 
(BBTA_RULE o ( REWRITE_RULE (STABLE_TRUB_THEN_FALSE;bsig;BSel] ) ) ) 
THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASStJMB_TAC thm)) 

THEN SPEC_ASSOM_TAC 

("It. (t'rdyO +1) <i t /\ t < t'rdyl *=> SND(l_srdy_E(o' t))", 
"t'-l") 

THEN IMP_RES_TAC (REWRITE_ROLE [PRE_SUB1] LT_IMP_LB_PRE ) 

THEN SUBOOAL_THEN "1 <= t ' " ASSUME_TAC 
THBNL [ 

% Subgoal 3.2.1: "1 <= t'» % 

XMP_RBS_TAC (RXMP ONE_LBSS_EQ) 

THEN ASSUME_TAC (SPECL ["ti ‘ : timeC" > "1"] LESS_EQ_ADD) 

THEN RBWRITE_ASSOM_TAC 

( "NTH_TIME_FALSE 0(bBig I_ardy_B e')(ti' + Dt'rdyO", 

[ NTH_TIMB_FALSE 1 ) 

THBN REWRITE _ASSUM_TAC 

( "STABLB_TRUB_THBN_FALSE (bsig I_ardy_B a')(ti' + 1, t'rdyO)", 

[ STABLB_TRUE_THBN_FALSE ] ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN ASSUMB_TAC (SPECL ["t 'rdyO : tireaC"; "1"] LESS_BQ_ADD) 

THEN ASSOME_TAC (SPECL ["t timeC"; "1"] SOB_LESS_BQ) 

THEN IMP_RES_TAC LESS_BQ_TRANS 
THEN IMP_RES_TAC LESS_EQ_TRANS 

» 

% Subgoal 3.2.2: (Continue) % 

IMP_RE S__TAC (REWRITE_RULE [PRE_SUB1] LE_IMP_PRE_LT ) 

THEN RES_TAC 

THEN ASM_REWRITB_TAC [ ] 

] 

] 

] 

) ;; 

let OFFSBT_P_SIZE_STABLE_FROM_T ' RDYO_TO_T ' RDY1 = TAC_PROOF 

(((], 

"! (u' itimaC) 

(pti :PTI) (s :timeT->pt_#tata) (a :timaT->pt_env) (p :timeT->pt_out) 

(t itimeT) (•' :timaC->pc_stata) (a' i timeC->po_env) (p' :timeC->po_out) 
(tp' ti' t'rdyO t'rdyl :timeC) . 

( St andard_As sumps pti septa' a' p' tp' ti' /\ 

NTH_TIME_FALSE 0(bsig I_srdy_E e')(ti' + Dt'rdyO /\ 

STABLE_TRnE_THEN_FALSE (bsig I_srdy_E a') (t ' rdyO+1, t ' rdyl) /\ 

VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( a ' tp')))(l # 0)) > 0 /\ 

( (t'rdy0+u'+2) <« t'rdyl+1)) 

«=> 

(P_aizeS (s' (t 'rdy0+u'+2) ) = 

DECN 1 (SOBARRAY ( SND ( L_ad_inE ( a ' tp'))) (1,0)))"), 

INDUCT_TAC 

THEN REWRITE_TAC (AOD1 ; ADD_CLAUSBS j ADD_ASSOC ; SYM_RULE (RBDUCE„CONV "1+1")] 
THBN REPEAT STRIP_TAC 

THBN IMP_RES_TAC BXPAND_STANDARD_ASSUMPS 
THENL [ 

% Subgoal 1: (Base Casa) % 

IMP_RBS_TAC P_size_ISO 
THEN ASM_REWRITE_TAC ( ) 

THEN IMP_RES_TAC SACK_SIO_FALSE_DDRINO_DATA_0_1 

THEN IMP_RES_TAC P_LOAD_TROE_THEN_STABLE_FALSE_FROM_TP ' _TO_T ' SACK 
THEN SUBOOAL_THBN 

"tp' < t'rdyO /\ (t'rdyO+1) <= t'rdyl" STRIP_ASSUME_TAC 

THBNL [ 

% Subgoal 1.1: (New Subgoal) % 

IMP_RES_TAC NTH_TRANS_CAUSAL 
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THEN POP_ASSUM ( \thm. ALL_TAC) 

THEN ASSUME_TAC (SPEC "ti'ltimeC" (REWRITE-RULB [ADD1] LBSS-SUCJRBFL) ) 
THEN REWRITE_ASSUM_TAC 

( "NTH_TIMB_FALSE 0 (bsig I_srdy_E e')(ti' + Dt'rdyO", 
[NTH_TXME_FALSE ; STABLE_TRUE_THEN_F ALSE ] ) 

THEN REWRITE.ASSUM_TAC 

( "STABLB_TRUE_THEN_FALSE (bsig I_srdy_E e') (t'rdyO + l,t'rdyl)", 
(STABLE_TROE_THEN_FAI.SE] ) 

THEN POP_ASSUM_LIST (MAP_EVBRY ( \thm. STRIP_ASSOME_TAC thm) ) 

THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN IMP_RES_TAC LESS_EQ_LESS_TRANS 
THEN IMP_RES_TAC LESS_LESS_EQ_TRANS 
THEN IMP_RES_TAC LT_IMP_LB 
THEN ASM_REWRITE_TAC [ ] 

% Subgoal 1.2 t (Continue) % 

ASSUME _TAC (SPECL ("t 'rdyO i timeC"; "1"] LESS_EQ_ADD ) 

THEN IMP_RES_TAC LESS_LESS_EQ_TRANS 
THEN IMP_RBS_TAC LBSS_BQ_TRANS 
THEN NROLE_ASSOM_TAC 

( "TROB_THEN_STABLB_FALSE ( \u ' . P_loadS (s' u ' ) ) ( tp ' , t ' rdyl ) " , 
(BETA_RULE o (REWRITE-RULE [ TRUE_THEN_STABLE_FALSE ] ) ) ) 

THEN POP_ASSOM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN SPEC_ASSUM_TAC 

("It. tp' < t /\ t <= t'rdyl ==> ~P_loadS(s' t) ", "t 'rdyO stiraeC") 
THEN IMP_RBS_TAC P_LOAD— TRUE— THEN— STABLE— FALSE— FROM— TP ' _TO_T ' SACK 
THEN NRULB_ASSOM_TAC 

( "TROB_THEN_STABLB_FALSE ( \u ' . P_loadS (s' u ' ) ) ( tp ' , t ' rdyl ) " , 
<BETA_RULB O ( RENRITB_ROLE [TRUE_THEN_STABLE_FALSE] ) ) ) 

THEN SPBC_ASSUM_TAC 

("It. tp' < t /\ t <= t'rdyl ==> ~P_ loadsfs' t ) ", "t 'rdyO+1") 
THEN RES_TAC 
THEN ASM_REWRITE_TAC [ ] 

THEN REWRITE _ASSUM_TAC 

( "NTH_TIME_FALSE 0 (bsig I_srdy_E e' ) (ti ' + Dt'rdyO", 
[NTH_TIME_FALSB] ) 

THEN POP_ASSOM_LIST (MAP .EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN IMP_RES_TAC P_DOWN_STABLB_FALSE_THEN_TROE_FROM_TP ' _TO_T ' RDYO 
THEN NRULE_ASSUM_TAC 

( "STABLB_FALSE_THEN_TRUE ( \u ' . P_downS(s' u' ) ) ( tp ' +1, t ' rdyO+1 ) ", 

< BBTA_RULB O (REWRITE_RULE [STABLE_FALSE_THEN_TRUE] ) ) ) 

THEN POP—AS SUM-LIST (MAP— EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPEC— ASSUM— TAC 

("It. (tp' + 1) <= t /\ t < (t'rdyO + 1) ==> -P_ downs (s' t)", 

"t ' rdyO i t imeC " ) 

THEN IMP_RE S_T AC (REWRITE-RULE [ADD1] LT_IMP_SUC_LE) 

THEN ASSUMB-TAC 

(SPEC "t ' rdyO I timeC" ( REWRITE— RULE [AUDI] LBSS_SUC_REFL) ) 

THEN RES-TAC 

THEN ASSUME_TAC (SPEC "t'rdyO I timeC" LESS. EQ— REFL) 

THEN IMP_RE S-TAC P_SIZE-STABLE_FROM_TP ' _TO_T ' RDYO 
THEN ASM-REWRITE-TAC [ ) 


% Subgoal 2i (Induction Step) % 

IMP_RES_TAC P_ size_ISO 
THEN ONCE— ASM—RBWRITB— TAC [ ] 

THEN POP-ASSUM (\thm. ALL-TAC) AKBBP* 

THEN RULE-ASSUH-TAC 

( \thm. REWRITE-RULE (SYM-RULB (REDUCE_CONV "1+1") ;ADD_ASSOC] thm) 
THEN ASSUMB-TAC (SPECL ["(((t'rdyO + u') + 1) + 1)";"1"] LESS— BQ_ ADD ) 

THEN IMP-RES-TAC LESS— EQ_ TRANS 
THEN RES-TAC 

THEN IMP-RES-TAC SACK_SIO_FALSE-DURINO_DATA-0-1 

THEN IMP-RES-TAC P_LOAD—TRUE— THEN— STABLE— FALSE— FROM— TP ' _ T0_ T ' SACK 
THEN NRULE— ASSUM— TAC 

( "TRUE— THEN— STABLE— FALSE ( \u ' . P_loadS (s' U ' ) ) ( tp ' , t ' rdyl ) " , 
(BETA-RULE o (REWRITE-RULE [TRUE— THEN— STABLE— FALSE] ) ) ) 

THEN IMP-RES_TAC P—DOWN—TRUE— THEN— STABLE— FALSE— FROM— T ' RDYO_ TO_ T ' RDY1 
THEN NRULE_ASSUM_TAC 

( "TRUE— THEN— STABLE— FALSE ( \u ' . P_downS(s' u')) (t'rdyO + 1, t'rdyl)", 
(BETA_RULE o ( REWRITE— RULE [TRUE— THEN— STABLE— FALSE ] ) ) ) 


154 



THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thro)) 

THEM SPBC_ASSUM_TAC 

("It* tp' < t A t <= t'rdyl ==> ~P_loadS(s' t)", 

"( <t'rdyO+u')+l)+l") 

THEN SPEC_ASSUM_TAC 

("It. (t'rdyO +1) < t /\ t <= t'rdyl ==> ~P_downS(s' t)", 

"< (t'rdyO+u')+l)+l") 

THEN ASSUME_TAC (SPECL [ "t ' rdyO ! timeC" ; "U ' ttimeC") LBSS_EQ_ADD ) 

THEN IMP_RBS_TAC 

(RIMP ( SPECL ["t 'rdyO i timeC" ;"t 'rdyO+u'"> "1") LBSS_EQ_MONO_ADD_BQ) ) 
THEN ASSUME_TAC (SPEC " (t 'rdyO+u' ) +1" ( REWRITE_ROLE [ADD1] LBSS_SUC_REFL) ) 
THEN IMP_RBS_TAC LBSS_EQ_LESS_TRANS 
THEN IMP_RBS_TAC 

(SPECL [" ( ( (t 'rdyO+U' ) +1) +1) +1") "t 'rdyl+1" J "1"] LESS_EQ_MONO_SUB) 
THEN REWRITE_ASSOM_TAC 

("(((( (t'rdyO + u') + 1) + 1) + 1) - 1) <= ((t'rdyl + 1) - 1)", 
[ADD_SUB] ) 

THEN IMP_RBS_TAC NTH_TRANS„CAOSAL 

THEN ASSUMB_TAC (SPECL I"tl' I tiaeC"; "1"] LBSS_EQ_ADD) 

THEN NRULB_ASSUM_TAC 

( "NTH_TXME_FALSB 0(bsig I_srdy_E e')(ti' + Dt'rdyO", 

(BETA_RULE o 

(REWRITE_RULE [NTH_TIME_PALSE ; STABLE_TROE_THEN_FALSE] ) ) ) 

THEN POP_ASSOM_LIST (MAP_BVERY (\thro. STRIP_ASSUMB_TAC thm) ) 

THEN ASSUME _TAC (SPECL ("t 'rdyO+u' "1"] LBSS_EQ_ADD) 

THEN IMP_RES_TAC LESS_BQ_TRANS 
THEN IMP_RBS_TAC LESS_BQ_LBSS_TRANS 
THEN RES_TAC 
THEN ASM_REWRITE_TAC [ ] 

] 

)>! 

let P_SIZB_STABLB_FROM_T'RDYO_TO_T'RDY1 = TAC_PROOF 

((£], 

"i (t' (timeC) 

(pti jPTI) (» i t imeT - >pt state ) (e ! timeT->pt_env) (p i timeT->pt_out ) 

(t :timeT) (s' : timeC ->pc_st ate) (e' itimeC->pc_env) (p' itimeC->po_out) 
(tp' ti' t'rdyO t'rdyl itlmeC) . 

(Standard_Assvirops pti s e p t s' e' p' tp' ti' /\ 

NTH_TIME_FALSE 0 (bsig X_srdy_E e')(ti' + Dt'rdyO /\ 

STABLB_TRUB_THBN_FALSE (bsig I_srdy_B e') (t 'rdyO+1, t ' rdyl) /\ 

VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( e ' tp ' ) ) ) < 1 , 0 > > > 0 /\ 

((t'rdyO+2) <= t') /\ 

(t' <« t'rdyl+1)) 

»»> 

(P_sizeS (s' t') - DBCN 1 (SUBARRAY (SND(L_ad_inE (e' tp'))) (1,0)))"), 
RBWRXTE_TAC (SYM_RULE (REDUCB_CONV "1+1") ;ADD_ASSOC] 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC (SPEC "t'-tp'+2" OFFSBT_P_SIZB_STABLE_FROM_T ' RDY0_TO_T ' RDY1 ) 
THEN SPECL_ASSUM_TAC 

("! (t ' tp'"ttimeC). (t 'rdy0+ ( (t ' - (tp" '+2) ) +2) ) <= (t'rdyl + 1) ==> 
(P_sizeS (s' (t'rdyO + ( ( t ' - (tp'" +2)) +2))) = 

DBCN 1( SUBARRAY (SND (L_ad_inB(e' ( tp' i timeC) ))) (1, 0) )) ", 

("t ' itimeC"; "t 'rdyO i timeC"] ) 

THEN SUBOOAL_THEN 

"(t'rdyO + ( ( t ' - (t'rdyO +2)) +2)) = t'" 

(\thro. RULB_ASSUM_TAC (REWRITE_RULE [thm])) 

THENL [ 

% Subgoal li -New subgoal- "t'rdyO + ((t' - (t'rdyO +2)) +2) » t'" % 
REWRITE_TAC [SYM_RULE (ASS0C_SUB_SUB1 ) ] 

THEN SUBOOAL_THEN "2 <« (t' - t'rdyO)" ASSUME_TAC 
THENL [ 

% Subgoal l.lt "2 <= (t' - t'rdyO)" 

[ "((t'rdyO +1) +1) <» t'" ] % 

REWRITE_TAC 

[SYM_RULB (SPECL ["2"; "t ' -t ' rdyO" ; "t ' rdyO s timeC") 

LB S S_B Q_MONO_ADD_B Q ) ] 

THEN ASSUMB_TAC (SPECL [ "t ' rdyO : timeC"; "1") LESS_BQ_ADD) 

THEN ASSUMB_TAC (SPECL t"t 'rdyO+1"; "1"] LESS_EQ_ADD) 

THEN IMP_RES_TAC LESS_EQ_ TRANS 

THEN XMP_RB S_TAC (SPECL ["t ' I timeC"; "t ' rdyO : timeC"] SUB_ADD) 

THEN ASM_RBWRITE_TAC [ ] 
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; 


THEN PURB_ONCB_REWRITB_TAC [ADD_SYM] 

THEN ASM_RBWRITE_TAC [SYM_RULE (REDOCE_CONV "1+1") ;ADD_ASSOC] 

% Subgoal 1.2 i [ "2 <« (t' - t'rdyO)" J % 

ASSUMB_TAC (SPEC "2" LESS_BQ_REFL ) 

THEN XMP_RES_TAC (SPBCL ["t ' -t 'rdyO"; "2"; "2"] ASSOC_SOB_ADDl) 

THEN ASM_RBWRITB_TAC [SUB_BQUAL_0 ; ADD_CLAUSES ] 

THEN PURE_ONCE_RBWRITE_TAC [ADD_SYM] 

THEN ASSUMEJEAC (SPBCL C"t 'rdyO t timeC" ) "1"1 LBSS_RQ_ADD) 

THEN ASSUMB_TAC (SPECL ["t ' rdyO+1"; "1"] LESS_EQ_ADD ) 

THEN IMP_BES_TAC LBSS_EQ_TRANS 

THEN IMP_HES_TAC (SPECL ["t ' t timeC" ; "t 'rdyO : timeC"] SUB_ADD ) 

] 

; 

% Subgoal 2 % 

RES_TAC 

] 

);> 

let DECN_WORDN_l_NOT_BQ = mk_thm 

( M, 

"1 (x twordn) (m n mum) . 

(VAL 1 x > n) ==> 

(n > m) -=> 

~ (DECN 1 X = WORDN 1 m) " 

))> 

let I_LAST_STABLB_HI_FROM_T ' RDYO_TO_T ' RDY1 = TAC_PROOF 

(( [], 

"1 (pti :PTI) (e itimeT->pt_state) (e »timeT->pt_env) (p ! timeT->pt_out ) 

(t stlmeT) (s' s timeC- >pc_at ate) (e' ! timeC ->pe_env) (p' i timeC->pc_out) 
(tp' ti' t'rdyO : timeC) . 

(Standard_Assumps pti e e p t s' e' p' tp' ti' /\ 

NTH_TXME_FALSE 0 (bsig I_srdy_E e') (ti'+l) t'rdyO /\ 

STABLB_TRUE_THBN_FALSE (bsig I_srdy_E e') ( t ' rdyO+1, t ' rdyl) /\ 

(VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( e ' tp')))(l,0)) > 1)) ==> 

STABLE_HI (bsig l_last_0 p') (t ' rdyO+1, t ' rdyl) ") , 

RBWRITE_TAC [bsig; BSel;STABLE_HI] 

THEN REPEAT STRIP_TAC 

THEN IMF_RBS_TAC ( RBWRITE_RULE [bsigjBSel] IB_READY_ASSUMPS ) 

THENL [ 

% Subgoal It "(t'rdyO + 1) <= t'rdyl" % 

RBWRITE_ASSUM_TAC 

("STABLB_TROE_THEN_FALSE(\t. SND(I_srdy_E(e' t) ) ) (t'rdyO + 1, t'rdyl)", 
[STABLE_TRUE_THBN_FALSE] ) 

THEN ASM_RBWRITE_TAC [ ] 

I 

% Subgoal 2t 

"(\t. SND ( I_last_o (p ' t) ) ) t ' = HI" 

[ "STABLB_TRUE_THEN_FALSB ( \t . SND (I_srdy_E (e' t))) (t'rdyO + 1, t'rdyl)" ] 
[ "(t'rdyO + 1) <= t'" ] 

[ "t' <= t'rdyl" ] % 

BETA_TAC 

THEN IMP_RES_TAC EXPAND_STANDARD_ASSUMPS 
THEN SUBOOAL_THEN 

"VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( a ' (tp' ttimeC) ) ) ) (1, 0) ) > 0" 
ASSDME_TAC 

THENL ( 

% Subgoal 2. It (New subgoal) % 

RBWRITE_TAC [ GREATER] 

THEN RULB_ASSUM_TAC (\thm. REWRITE_RULE [GREATER] tbm) 

THEN ASSUME_TAC (REWRXTB_RULE [] (REDUCB_CONV "0<1") ) 

THEN IMF_RBS_TAC LBSS_TRANS 
I 

% Subgoal 2.2t (Continue) % 

SUBGOAL_THEN "(tp'<=ti') /\ ((ti'+l) <= t'rdyO)" STRIP_ASSUME_TAC 
THENL [ 

% Subgoal 2. 2. It (New subgoal) % 

IMP_RES_TAC NTH_TRANS_CAUSAL 
THEN REWRITB_ASSUM_TAC 

("NTH_TIME_FALSE 0(\t. SND ( I_srdy_E (e ' t)))(ti' + Dt'rdyO", 
[NTH_TIME_FALSB;STABLE_TRUB_THBN_FALSB] ) 
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THEN POP_ASSUM_LXST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN ASM_RBWRITE_TAC [ ] 

% Subgoal 2.2.2s (Continue) % 

ASSUME_TAC (SPECL ["t 'rdyO s timeC"; "1"] LBSS_BQ_ADD ) 

THEN ASSUME_TAC (SPECL ["t 'rdylt timeC"; "1"] LESS_EQ_ADD ) 

THEN XMP_RE S_TAC LESS_EQ_TRANS 
THEN IMP_RES_TAC 

( REWRITE_RULE [bsig;BSel] SACK_SIQ_FALSE_DURING_DATA_0_1) 

THEN IMP_RBS_TAC NTH_TIME_TRUB_X_IMP_X 

THEN XMP_RES_TAC NEW_STATE_PD_FROM_TI ' _TO_T ' SACK_1 

THEN IMP_RES_TAC 

(RBWRITE_ROLB 

[bsig;BSel] 

P_DOWN_TRUB_THBN_STABLB_FALSE_FROM_T ' RDYO_TO_T ' RDY1 ) 

THEN NRULB_ASSUM_TAC 

( "TRUE_THEN_STABLB_FALSB ( \u ' . P_downS ( 8 ' u' ) ) ( t 'rdyO+l, t 'rdyl) ", 
( BBTA_RULE o ( REWRITE_ROLE [TRUE_THEN_STABLB_FALSB] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSOMB_TAC thm)) 

THEN SPEC_ASSUM_TAC 

("It. (t'rdyO + 1) < t /\ t <= t'rdyl ==> ~P_downS(s' t)", 

"t' i timeC") 

THEN RBWRITE_ASSUM_TAC ( "New_State_Is_PD 8' e' t ' [New_State_Is_PD] ) 
THEN IMP_RE S_TAC I_last_ISO 
THEN ASM_RBWRITE_TAC 

[WIRE ; SYM_RULE (prove_con8tructors_dlstlnct pf sm_ty_Ariom) ] 
THEN POP_ASSUM (\thm. ALL_TAC) 

THEN ASM_CASES_TAC "(t'rdyO+1) < t ' " 

THENL [ 

% Subgoal 2.2.2.1i [ "(t'rdyO + 1) < t'" ] % 

IMP_RES_TAC ( REWRI TE_RULE [ADD1] LT_IMP_SUC_LB ) 

THEN NRDLE_ASSOM_TAC 

("((t'rdyO + 1) + 1) <= t'", 

(REDOCE_RULE o (REWRXTE.RDLE [SYM_RULE ADD_ASSOC ] ) ) ) 

THEN IMP_RBS_TAC 

( REWRI TE_ROLE [bsig/BSel] P_SIZE_STABLE_FROM_T ' KDYO_TO_T ' RDY1 ) 
THEN RES_TAC 

THEN ASSUME_TAC (REWRITE_RULB [) (REDUCE_CONV "1>0") ) 

THEN IMP_RBS_TAC 

(SPECL [ "SUBARRAY (SND (L_ad_inE (e' (tp' itimeC) ) ) ) (1,0) "j 
„0";"1"] DECN_WORDN_l_NOT_EQ) 

THEN ASM_REWRITE_TAC[] 

I 

% subgoal 2.2.2.2i [ "-(t'rdyO + 1) < t'" ] % 

SUBOOAL_THEN "t ' = t'rdyO+1" (\thm. REWRITE_TAC [thm]) 

THENL [ 

% Subgoal 2.2.2.2.1s (New Subgoal) % 

IMP_RBS_TAC NOT_LESS 

THEN IMP_RBS_TAC LESS_EQUAL_ANTISYM 

I 

% Subgoal 2.2.2.2.2s (Continue) % 

RBWRITE_ASSUM_TAC 

( "NTH_TIME_FALSE 0(\t. SND ( I_srdy_E ( e ' t ) ) ) (ti ' + Dt'rdyO", 

[ NTH_T IHE_F ALSE ] ) 

THEN POP_ASSUM_LIST (MAP_EVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THEN IMP_RES__TAC 

( REWRITB_RULE [bsig/BSel] P_SIZE_STABLE_AT_T'RDY0_PLUS_1) 
THEN IMP_RBS_TAC OT_IMP_NOT_BQ 
THEN ASSUMB_TAC 

( REDUCE_RULE 

(SPECL ["l"; "SUBARRAY(SND(L_ad_inB (e ' (tp' stimeC) ) ) ) (1,0) "] 
MAXWORD) ) 

THEN IMP_RBS_TAC ( RBWRITE_RULE [PRE_SUB1] LT_IMP_LE_PRE ) 

THEN NRULE_ASSUM_TAC 

("(VAL 1( SUBARRAY (SND (L_ad_inE(e' (tp' s timeC) ))) (1, 0 )) ) 

<= (4 - 1)",REDUCE_RULE) 

THEN ASSUME_TAC ( REWRITB_RULB [] (REDUCE_CONV "1<«3") ) 

THEN IMP_RHS_TAC WORDN_l_NOT_EQUAL 
THEN ASSUMB_TAC 

( SPEC "SND ( L_ad_inE ( e ' ftp's timeC ) ) ) " SIZE_SUBARRAY_1 ) 
THEN IMP_RES_TAC WORDN_VAL_IDENT_l 
THEN ASM_REWRITE_ASSUM_TAC 
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("-(WOKEN 1 ( VAL 1 (SUBARRAY ( SND (L_adLinB (o' (tp' ttimeC) ) ) ) 
(1,0))) = WORDN 1 1)", []) 

THEN ASM_RBWRITB_TAC 1 3 
3 
3 
3 

] 

3 

);; 

lot I_LASTJ?OR_BLOCK_SIZE_l = TAC_PROOF 

(([], 

"1 (pti iPTI) (a i timoT->pt_atate) (o ttimeT->pt_env) (p :timoT->pt_out) 

(t itimoT) (s' ttimeC->pc_state) (o' itimeC->pc_env) (p' itimeC->pe_out) 
(tp' ti' t'rdyO itimoC) . 

(Standard _Assumpa pti septa' o' p' tp' ti' /\ 

(SUBARRAY(SND(L_ad_inS(e' tp')))(l,0) = WORDN 1 1) A 
NTH_TIME_FALSE 0(bsig I_srdy_E o')(ti' + 1) t'rdyO A 
STABLB_TRUB_THBN_FALSB (bsig I_srdy_B o') (t 'rdyO+1, t 'rdyl) ) ==> 

(STABLE_HI (bsig l_last_0 p') (ti ' +1, t ' rdyO) /\ 

STABLE_LO (bsig l_last_0 p') ( t ' rdyO+1, t 'rdyl) )") , 

REPEAT STRIP_TAC 
THBNL [ 

% Subgoal 1: "STABLK_HI (bsig l_last_0 p')(ti' + 1, t'rdyO)" % 

SUBQOAL_THEN 

"VAL 1( SUBARRAY ( SND ( L_ad_inE (o' (tp' ttimoC) ) ) ) (1, 0) ) > 0" ASSUME_TAC 
THENL [ 

% Subgoal l.li (Now Subgoal) % 

ASM_RBWKITB_TAC [ ] 

THEN ASSUME_TAC ( REWRITE_RULB [3 (REDUCE_CONV "1 <- 3")) 

THEN IMP_RES_TAC VAL_WORDN_IDENT_l 
THEN ASM_RBWRITB_TAC [ ] 

THEN REDUCB_TAC 

; 

% Subgoal 1.2 t (Continue) % 

RBWRITE_ASSUMl_TAC 

( "NTH_TIMB_FALSB 0 (bsig I_srdy_E o')(ti' + 1) t'rdyO", 

[ NTH_TIMK_FALSE 3 ) 

THEN IMP_RES_TAC I_LAST_STABLB_HI_FROM_TI ' _TO_T ' RDYO 


% Subgoal 2i "STABLE_LO (bsig l_laat_0 p') (t'rdyO + 1 , t ' rdyl ) " % 
SUBOOAL_THBN 

"VAL 1 (SUBARRAY (SND (L_ad_inE (o' (tp' ItimoC) ))) (1, 0 ) ) > 0" ASSUME_TAC 
THENL ( 

% subgoal 2. It (Now Subgoal) % 

ASM_RBWRITB_TAC [ 3 

THEN ASSUMB_TAC (RHWRITBJRULB (3 (RBDUCB_CONV "1 <= 3")) 

THEN IMP_RBS_TAC VAL_WORDN_IDENT_l 
THEN ASH_REWRITB_TAC ( ] 

THEN RBDUCB_TAC 
I 

% Subgoal 2.2t (Continue) % 

REWRITE_TAC [STABLE_LO;bsig; BSel] 

THEN BBTA_TAC 

THEN REPEAT STRIP_TAC 

THENL [ 

% Subgoal 2. 2. It "(t'rdyO + 1) <= t'rdyl" ^ 

REWRITE _ASSUM_TAC 

( "STABLB_TRUE_THEN_FALSB (bsig I_srdy_E e') (t'rdyO + 1, t'rdyl)", 
[STABLE_TRUE_THEN_FALSE] ) 

THEN POP_ASSUM_LIST ( MAP _B VERY (\tlun. STRIP_ASSUMB_TAC thm) ) 

THEN ASM_REWRITB_TAC [ ] 

I 

% Subgoal 2.2.2t "SND(I_last_0(p' t')) = LO" % 

IMP_RES_TAC EXPAND_STANDARD_ASSUMPS 
THEN IMP_RBS_TAC I_last_ISO 
THEN ASM_REWRITE_TAC (] 

THEN POP_ASSUM (\tlim. ALL_TAC ) 

THEN IMP_RES_TAC P_SIZE_STABLE_FROM_T ' RDYO_TO_T ' RDY1 
THEN IMP_RES_TAC SACK_SIO_FALSE_DURINO_DATA_0_1 
THEN IMP_RBS_TAC NTH_TIME_TRUE_X_IMP_X 
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THEN IMP_RES_TAC NEW_STATE_PD_FROM_TI ' _TO_T ' SACK_1 
THEN POP_ASSUH (\thm. ALL_TAC) 

THEN SPEC_ASSOM_TAC 

("!t'. (ti' + 1) <= t' ==> t' <= t'rdyl ==> 

New_state_Ia_PD a' o' itimoC") 

THEN SUBOOAL_THBN " (ti ' +1) <=t ' " ASSUMB_TAC 
THENL [ 

% Subgoal 2. 2. 2.1: (New subgoal) % 

REWRITB_ASSUM_TAC 

( "NTH_TIMB_FALSB 0(baig I_ardy_E e')(ti' + Dt'rdyO", 
[NTH_TIMB_FALSB ; STABLB_TROE_THEN_FALSB ] ) 

THEN POP_ASSOM_LIST ( MAP_EVERY (\thm. STRIF_ASSOMB_TAC thm)) 

THEN ASSOME_TAC (SPECL ("t 'rdyO :timeC"> "1"] LBSS_EQ_ADD) 

THEN IMP_RES_TAC LESS_EQ_TRANS 
I 

% Subgoal 2. 2. 2. 2: (Continue) % 

RBS_TAC 

THEN REWRXTE_ASSOM_TAC 

( "New_State_Ia_PD a' e' t'", [New_State_Xa_PD] ) 

THEN ASM_REWRITE_TAC 

[ S YM_RULE (prove_conatructorB_diatinct pf am_ty_Axiom) ) 

THEN IMP_RES_TAC 

P_DOWN_TRDB_THEN_STABLB_FALSE_FROM_T ' RDYO_TO_T ' RDY1 
THEN NRHLE_ASSOM_TAC 

( "TRUB_THEN_STABLE_FALSB ( \u ' . P_downS ( a ' u' ) ) (t 'rdyO+l, t ' rdyl) " , 
(BETA_RULE o ( RBWRITE_RULB [TRUE_THEN_STABLE_FALSE ] ) ) ) 

THEN POP_ASSOM_LIST ( MAP JS VERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPEC_ASSDM_TAC 

("It. (t'rdyO + 1) < t /\ t <= t'rdyl ==> ~P_downS ( s ' t)", 
"t' :timec") 

THEN ASM_CASES_TAC "(t'rdyO + 1) < t'" 

THENL [ 

% Subgoal 2. 2. 2. 2.1: [ "(t'rdyO + 1) < t"< ] % 

IMP_RBS_TAC (REWRITE_ROLE [ADDl] LT_IMP_SOC_LE ) 

THEN RHWRITE_ASSUM_TAC 

("( (t'rdyO+l)+l)<=t'", [ ASSOC_ADD_ADDl ; RBDUCB_CONV "1+1"]) 
THEN ASSUME_TAC (SPECL t "t 'rdyl : timeC"; "1"] LBSS_BQ_ADD) 

THEN IMP_RES_TAC LESS_EQ_TRANS 

THEN RBS_TAC 

THEN ASM_REWRITB_TAC ( ] 

THEN ASSUMB_TAC ( REWRITE_ROLB [] (REDUCE_CONV "1<=3") ) 

THEN ASSUME_TAC ( RBWRITE_RULE [] (REDOCE_CONV "0<=3") ) 

THEN ASSOMB_TAC ( RBWRITE_RULB I] (RBDUCB_CONV "1=0+1") ) 

THEN XMP_RES_TAC (SPECL t"l";"0"] DBCN_WORDN_l ) 

THEN DELETE_ASSOM_TAC "1 = 0 + 1" 

THEN ASM_RBWRXTB_TAC (WIRE] 

: 

% Subgoal 2. 2. 2. 2. 2: [ "-(t'rdyO + 1) < t'" ] % 

IMP_RES_TAC NOT_LBSS 

THEN SOBOOAL_THBN "t ' = t'rdyO+1" (\thm. REWRITE_TAC [thm]) 

THENL [ 

% Subgoal 2. 2. 2. 2. 2.1: (New Subgoal) % 

IMP_RBS_TAC LESS_EQUAL_ANTISYM 
I 

% Subgoal 2. 2. 2. 2. 2. 2: (Continue) % 

RBWRITE_ASSUM_TAC 

( "NTH_TIMB_FALSB 0(baig I_ardy_E e’)(ti' + Dt'rdyO", 
[NTH_TIMB_FALSB] ) 

THEN IMP_RES_TAC P_SIZB_STABLE_AT_T ' RDY0_PLUS_1 
THEN ASH_RBWRXTE_TAC [WIRE] 


let I_SRDY_STABLE_TRTJB_THEN_FALSE_FROM_T ' RDYl_TO_T ' RDY2 = TAC_PROOF 

(([], 

"1 (a : timeT->pt_atate) (e :timeT->pt_env) (p :timeT->pt_out) 

(t stimeT) (a' :timeC->pc_atate) (e' :timeC->pc_env) (p' :timeC->pc_out) 
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(tp' ti' t'rdyl ttimeC) . 

(Standard_Aaauinps pti s a p t a' a' p' tp' ti' A 
NTH_TIME_FALSE 1 (bsig I_ardy_E e') (ti'+l) t'rdyl A 
VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( a ' tp')))(l,0)) > 1) ==> 

(?t'rdy2. STABLE_TRUE_THBN_FALSE (bsig I_ardy_E e ' ) (t ' rdyl+1, t ' rdy2 ) ) ") , 
REPEAT STRIF_TAC 

THEN IMP_RES_TAC BXPANP_STANDARD_ASSUMPS 
THEN IMP_RES_TAC IB_READY_ASSOMPS 
THEN NROLB_ASSUM_TAC 

("!u'. rdy_sig_ib a' p' u' ==> 

(?v'. STABLE_TROB_THEN_PALSE(baig I_srdy_E e')(u'~+ l,v'))", 
(BETA_RULE o 

(SPEC *t'rdyl:timeC") o (RBWRITE_ROLE [rdy_sig_ib) BSel] ) ) ) 

THEN IMP_RES_TAC NTH_TIME_FALSE_X_IMP_NOT_X 
THEN NRULB_ASStJM_TAC 

("-bsig I_ardy_E a' t ' rdy 1 " , ( BETA_RULE o ( REWRITE_RULB tbs ig; BSel] ) ) ) 
THEN SUBOOAL_THBN 

"NTH_TIMB_FALSB 0 (bsig I_ardy_E a') (ti'+l) u' A 
STABLB_TR0B_THEN_FALSB (baig I_srdy_B a') (u' +1, t 'rdyl) " 
STRIP_ASSUMB_TAC 

THENL [ 

% Subgoal li (New Subgoal) % 

RBWRITB_ASSUM_TAC 

( "NTH_T!MB_FALSB l(baig I_erdy_B e')(ti' + l)t 'rdyl", 

[num_CONV "1";NTH_TIME_FALSE] ) 

THEN CHOOSE_ASSUM_TAC 

"It. STABLE_TROE_THBN_FALSE(baig I_ardy_E e’)(ti'+(Snc 0),t)/\ 

STABLB_TRUE_THEN_FALSE (baig I_ardy_B e')(t+(SOC 0), t'rdyl)" 

THEN POP_ASStJM_LIST 
(MAP_BVBRY 

( \thm. STRIP_ASSDME_TAC 

(REWRITE_RDLE [ADDl; ADD_CLADSES] thm) ) ) 

THEN SHBOOAL_THEN "u ' = (t'ltimaC)" (\thm. RBWRITE_TAC tthm) ) 

THENL [ 

% Subgoal l.lt (New aubgoal) % 

IMP_RB S_TAC STABLB_TROE_THEN_FALSB_UNIQOB 
J 

% Subgoal 1.2 i (Continue) % 

ASM_RBWRITE_TAC [NTH_TIME_FALSB] 

1 

) 

% Subgoal 2i (Continue) % 

IMP_RES_TAC I_LAST_STABLE_HI_FROM_T ' RDYO_TO_T ' RDY1 
THEN NRULB_ASSOM_TAC 

( "STABLE_HX (bsig l_laat_0 p')(u' + 1, t'rdyl)", 

(BETA_ROLB o ( REWRITE_RULE [STABLB_HI] ) ) ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASStJME_TAC thm)) 

THEN NROLB_ASSUM_TAC 

("It. (u' +1) <= t /\ t <a t'rdyl ==> (baig l_laat_0 p' t = HI)", 
(BBTA_ROLB o (SPEC "t 'rdyl : timaC") o ( REWRITE _RULE [baig/BSel] ) ) ) 
THEN ASSDMB_TAC (SPBC "t 'rdyl t timaC" LESS_EQ_REFL) 

THEN RBS_TAC 
THEN RBS_TAC 

THEN EXISTS_TAC "v'ltimeC" 

THEN ASM_REWRITB_TAC[) 

) 

) ;; 

lot SACK_SIO_FALSB_DDRINO_DATA_l_2 = TAC_PR00F 
( ( tl . 

"! (pti :PTI) (a ttimeT->pt_atate) (a i timeT->pt_env) (p : timoT->pt_out ) 

(t ttimoT) (a' ttimeC->pc_stata) (o' itimeC->pc_anv) (p' :timeC->po_out) 
(ti' t'rdyl t'rdyl (timed . 

(Standard_Assumps pti a a p t a' a' p' tp' ti' A 
NTH_TIMB_FALSB 1 (baig I_srdy_E a') (ti'+l) t'rdyl A 
VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( a ' tp')))(l,0)) > 1 A 
STABLE_TRUE_THEN_FALSE (baig I_ardy_E a') (t ' rdyl+1, t 'rdy2 ) ) ==> 
STABLB_FALSB (Sacfc_Sig_Ia_TRCB a' a') (ti' ,t'rdy2-l) ") , 

REWRITB_TAC [baigjBSel] 

THEN REPEAT STRIP_TAC 

THEN IMP _RE S _T AC EXPAND_STANDARD_ASSUMPS 
THEN SUBQOAL_THEN 
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"VAL 1 ( SUBARRAY < SND ( L_ad_inB ( e ' (tp' :timeC) ) ) ) (1, 0) ) > 0" 

ASSUME_TAC 

THBNL [ 

% subgoal li (New subgoal) % 

RBWRITE_TAC [GREATER] 

THEN RCJLE_ASSUM_TAC ( \thm. REWRITE_RULB [GREATER) thm) 

THEN ASSDME_TAC (REWRITE_ROLE [] (REDUCE_CONV "0<1") ) 

THEN IMP_RES_TAC LESS_TRANS 

I 

% Subgoal 2i (Continue) % 

AS S UME_T AC ( REWRITE_RULE [] (RBDUCE_CONV "0<1") ) 

THEN IMP_RES_TAC PRIOR_PALSB_EVENTS_EXIST 
THEN SUBGOAL_THEN 

"STABLE_TRUE_THEN_FALSE ( \ t . SND ( I_B rdy_E (e' t)))(t' + l,t' rdyl ) " 
ASSUME_TAC 

THBNL [ 

% Subgoal 2.1: (New subgoal) % 

RKWRITB_ASS0M_TAC 

( "NTH_TIMB_FALSE 1 ( \t . SND (I_srdy_B (e ' t)))(ti' + Dt'rdyl", 

[num_CONV "1";NTH_TIME_PALSE] ) 

THEN REWRITB_ASSUM_TAC 

( "NTH_TIME_FALSB 0(\t. SND (I_srdy_B (e ' t)))(ti’ + l)t'", 
[NTH_TIMB_FALSB] ) 

THEN POP_ASSOM_LXST (MAP_BVBRY (\thm. STRIP_ASSUME_TAC thm)) 

THEN RDLE_ASSOM_TAC ( REWRITE_RULE [ADD1; ADD_CLAUSES] ) 

THEN XMP_RBS_TAC STABLE_TRUB_THEN_FALSE_UNIQUE 

THEN FILTBR_ASM_RBWRITR_TAC (\tm. tm = "t ' » (t":timeC)") [] 

THEN FILTER_ASM_REWRITB_TAC (\tm. not (is_eq tm) ) [) 

I 

% Subgoal 2.2: (Continue) % 

SOBGOAL_THBN 

"STABLE_FALSE(Sack_Sig_Is_TRUE 8' e ') (t ' rdyl, t 'rdyl) " ASSOME_TAC 
THBNL [ 

% Subgoal 2.2.1: (New Subgoal) % 

RBWRITB_TAC [STABLB_FALSB] 

THEN BBTA_TAC 

THEN ASSDME_TAC (SPEC "t 'rdyl: timeC" LESS_EQ_RBFL ) 

THEN ASM_REWRITB_TAC[] 

THEN REPEAT STRIP_TAC 
THEN SUBGOAL_THBN 

“t" « (t 'rdyl: timeC) " (\thm. RULB_ASSOM_TAC ( REWRITE_RDLE [thm])) 
THBNL [ 

% Subgoal 2. 2. 1.1: (New Subgoal) % 

IMP_RBS_TAC LBSS_BQUAL_ANTISYM 
7 

% Subgoal 2. 2. 1.2: (Continue) % 

IMP_RES_TAC 

( RBWRITE_RULB [bsig;BSel] I_LAST_STABLE_HI_FROM_T ' RDYO_TO_T ' RDY1 ) 
THEN NRULB_ASSUM_TAC 

("STABLB_HI(\t: timeC. SND ( l_last_0 (p ' t)))(t’ + l,t'rdyl)", 
(BETA_RULB O ( RBWRITB_RULE [STABLE_HI] ) ) ) 

THEN POP_ASStJM_LlST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPBC_ASSOM_TAC 

("It. (t'+l)<-t /\ t<»t'rdyl ==> ( SND ( l_last_0 (p ' t)).HI)”, 
"t ' rdy 1 : t iroeC " ) 

THEN RES_TAC 

THEN IMP_RBS_TAC I_LAST_HI_IMP_SACK_SIG_NOT_TRUE 

] 

7 

% Subgoal 2.2.2: (Continue) % 

SUBGOAL.THBN "1 <• t'rdy2" ASSUME_TAC 
THBNL [ 

% Subgoal 2. 2. 2.1: (New Subgoal) % 

IMP_RBS_TAC (RIMP ONB_LBSS_EQ) 

THEN REWRITB_ASSUM_TAC 

( "NTH_TIMB_FALSB l(\t. SND (I_srdy_E (e ' t)))(ti' + Dt'rdyl", 
[num_CONV "1" 7 NTH_TIMB_FALSB ; STABLB_TRUE_THEN_FALSE ] ) 

THEN REWRITE_ASSUM_TAC 

( "STABLB_TRUB_THBN_FALSB ( \ t . SND ( I_srdy_E ( e ' t ) ) ) 

(t 'rdyl+1, t 'rdy2) ", [ STABLB_TRUE_THEN_FALSE ] ) 

THEN P0P_ASS0M_L1ST 

( MAP _B VERY (\thm. STRXP_ASSCME_TAC 
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( REWRITB_RULE [ ADD1 ; ADD_CLAUSBS ] thm) ) ) 
THEN ASSUME_TAC (SPECL ["ti ' t timeC"; "1") LBSS_EQ_ADD) 

THEN ASSOME_TAC (SPECL ["t " t timeC" ; "1") LBSS_EQ_ADD) 

THEN ASSUME_TAC (SPECL ["t 'rdyl t timeC"; "1"] LESS_EQ_ADD) 

THEN IMP_RE S_TAC LBSS_BQ_TRANS 
THEN IMP_RES_TAC LESS_BQ_TRANS 

; 

% Subgoal 2. 2. 2. 2: (Continue) % 

IMP_RES_TAC I_SRDY_TRUE_IMP_SACK_SIO_NOT_TRUE 
THEN IMP_RBS_TAC 

( REWRITB_RULE [bsig;BSel] SACK_SIQ_FALSB_DURINO_DATA_0_1) 
THEN SOBOOAL_THEN 

"(ti' <= (t'rdy2-l) ) A 
(t'rdyl <« (t'rdyl-l)+l)" 

STRIP_ASSUMB_TAC 

THBNL [ 

% Subgoal 2. 2. 2. 2. It (New subgoal) % 

RBWRITE_ASSUM_TAC 

("STABLB_FALSE(Sack_Sig_Is_TRUB s' e ' ) (ti ' , t ' rdyl - 1)", 
[STABLB_FALSE] ) 

THEN RBWRITS_ASSUM_TAC 

( "STABLB_TROE_THEN_FALSE (\t. SND ( I_srdy_E (a ' t) ) ) 

(t'rdyl + l,t'rdy2) ", [STABLB_TRUB_THBN_FALSE] ) 

THEN POP_ASSOM_LIST (MAP_EVERY (\thm. STRIP_ASSOMB_TAC thm)) 

THEN IMP_RBS_TAC 

(SPECL ["t 'rdyl+1"; "t 'rdy2 t timeC"; "1") LBSS_EQ_MONO_SUB) 
THEN REWRITE_ASSDM_TAC 

("((t'rdyl +1) - 1) <= ( t ' r dy2 - 1) ", [ADD_SUB] ) 

THEN XMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN ASSDMK_TAC (SPECL [ "t'rdyl: timeC"; "1") SOB_LESS_EQ) 

THEN XMP_RBS_TAC LBSS_BQ_TRANS 

THEN XMP_RES_TAC (SPECL ["t 'rdyl t timeC"; "1"] SCB_ADD) 

THEN XMP_RBS_TAC 

(SPECL ("ti'+l"; "t 'rdyl t timeC"; "1"] lbss_eq_mono_sdb) 
THEN REWRITE_ASSUM_TAC 

("((ti' + 1) - 1) <= (t'rdyl - 1)", [ADD_SUB] ) 

THEN IMP_RKS_TAC LBSS_EQ_TRANS 

THEN ASSDMB_TAC (SPEC "t 'rdyl : timeC" LESS_EQ_RBFL) 

THEN ASM_REWRITE_TAC() 

; 

% Subgoal 2. 2. 2. 2. 2 t (Continue) % 

1MP_RHS_TAC SOP_INTERVAL_STABLB_FALSE 
THEN ASM_RBWRITE_TAC[] 

] 

1 

1 

] 

] 

);; 

let P_DOWN_TRUH_THKN_STABLB_FALSB_FROM_T'RDY1_TO_T'RDY2 = TAC_PROOF 

(([]/ 

"1 (pti :PTI) (s itimeT->pt_state) (e :timeT->pt_env) (p : timeT->pt_out) 

(t itimeT) (s' itimaC->pc_state) (e' t timeC->pc_env) (p' ttimeC->pc_out) 
(tp' ti' t'rdyl t'rdy2 ttimeC) . 

(Standard_Assumps pti s e p t s' e' p' tp' ti' A 
NTH_TIMB_FALSB l(bsig I_srdy_B e' ) (ti ' + 1) t'rdyl A 
STABLB_TRUB_THEN_FALSE(bsig I_srdy_E e') (t'rdyl + l,t'rdy2) /\ 

(VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( a ' tp' ) ) ) (1, 0) ) ) > 1) ==> 

TRUE_THEN_STABLE_FALSE(\u' . P_downS(s' u')) (t'rdyl + l,t'rdy2)"), 

REWRI TE_TAC [TRUE_THEN_STABLB_FALSB ] 

THEN BETA_TAC 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC SACK_SIO_FALSE_DCRINO_DATA_l_2 
THBNL [ 

% Subgoal It "(t'rdyl + 1) <= t'rdy2" % 

RBWRITE_ASSOM_TAC 

( "STABLE_TRDE_THEN_FALSE (bsig I_srdy_E e') (t'rdyl + l,t'rdy2)", 
[STABLB_TROB_THBN_FALSB] ) 

THEN POP_ASSOM_LIST ( MAP _E VERY (\thm. STRIP_ASSDME_TAC thm)) 

THEN ASM_REWRITE_TAC [] 
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% Subgoal 2t "P_downS ( s ' (t'rdyl + 1))" % 

IMP_RES_TAC EXPAND„STANBARD_ASSUMPS 
THEN IMP_RES_TAC NTH_TIMB_TRUB_X_IMP_X 
THEN IMP_RBS_TAC NBW_STATE_PD_FROM_TI ' _TO_T ' SACK_1 
THEN NRULB_ASSUM_TAC 

( "NTH_TIMB_PALSE 1 (bsig I_ordy_E e')(ti' + 1) t'rdyl", 

( BBTA_RULE o 

(REWRITE_RULB tn.UltL.CONV "1";NTH_TXME_FALSE;STABLB_TRUE_THEN_FALSE; 
boigjBSel] ) ) ) 

THEN CHOOSB_ASSUM_TAC 

"?t. ( ( ti ' + (SUC 0)) <= t A 

(It', (ti' + (SUC 0)) <= t' /\ t' < t =«=> SND(I_srdy_E(e' t ' ) ) ) A 
-snd ( I_ srdy_B ( a ' t) ) ) A (t + (SUC 0)) <= t'rdyl A 
( ! t ' . (t + (SUC 0)) <= t' A t'ct'rdyl ==> SNI>(I_ardy_E<e' t ' ) ) ) 
A ~SND ( I_srdy_E ( e ' t'rdyl))" 

THEN POP_ASSUM_LIST 
(MAP_BVERY 

( \tfam. STRIP_ASSUME_TAC (REWRITB_RULE [ ADD1 ; ADD_CLAUSES ] thm) ) ) 

THEN RBWRITB_ASSUM_TAC 

("STABLE_TRUE_THBN_FALSE(bsig I_srdy_E o') (t'rdyl + l,t'rdy2)", 
[STABLB_TRUE_THBN_PAX.SE] ) 

THEN POP_ASSUM_LXST (MAP_EVERY ( \thm. STRIP_ASSUME_TAC thm) ) 

THEN AS SUMB_TAC (SPBCL ["t ' t timoC"; "1"] LESS_EQ_ADD) 

THEN ASSUME_TAC (SPBCL t"t 'rdyls timoC" J "1"] LESS_BQ_ADD ) 

THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN NRULE_ASSUM_TAC 

("It' . (ti'+l)<=t' ==> t'<=t'rdy2 ==> Now_Stato_Ia_PD s' o' t'", 

( (REWRITE_RULE [New_State_Is_PD] ) o (SPEC "t ' rdyl : timoC" ) ) ) 

THEN RBS_TAC 

THEN IMP_RES_TAC P_dovm_ISO 
THEN ASM_RBWRITB_TAC[] 

Si Subgoal 3t [ "(t'rdyO +1) < t'" ] 

[ "t' <« t'rdyl" ] 

[ "P_downS ( s ' t')" ] Si 
UNDXSCH_TAC "P_downS (o' ( t ' 1 1 imoC ) ) " 

THEN XMP_RES_TAC EXPAND_STANDARD_ASSUMPS 

THEN SUBOOAL_THEN "t ' = (t'-l)+l" (\thm. PURE_ONCE_REWRITE_TAC [thm]) 

THENL [ 

Si Subgoal 3. It (Now Subgoal) Si 
IMP_RES_TAC (RIMP ONE_LBSS_EQ) 

THEN REWRITB_ASSUM_TAC 

("NTH_TIME_PALSE 1 (boig X_srdy_B o')(ti' + l)t'rdyl", 

[num_CONV "1" ; NTH_TXMB_PALSE > STABLE_TRUE_THBN_PALSB ] ) 

THEN POP_ASSUM_LIST 
(MAP_EVBRY 

(\thm. STRXP_ASSUHB_TAC (RBWRXTE_RULE [ADD1 1 ADD_CLAUSES] thm))) 
THEN ASSUME_TAC (SPECL ["ti ' t timoC"; "1"] LESS_EQ_ADD) 

THEN ASSUMB_TAC (SPECL ["t " ttimoC" ; "1"] LBSS_BQ_ADD ) 

THEN ASSUME_TAC (SPBCL ["t 'rdyl : timoC"; "1"] LESS_EQ_ADD) 

THEN IMP_RBS_TAC LT_IMP_LE 
THEN XMP_RES_TAC LESS_BQ_TRANS 
THEN XMP_RB S_TAC LBSS_BQ_TRANS 

THEN IMP_RES_TAC (SPECL ["t ' t timoC"; "1"] ( SYM_RULE SUB_ADD) ) 

; 

Si subgoal 3.2t (Continue) Si 
IMP_RES_TAC P_down_ISO 
THEN ASM_RBWRITB_TAC [ ] 

THEN NRULB_ASSUM_TAC 

( "STABLE_TRUE_THBN_FALSE (bsig I_srdy_E o') (t'rdyl + l,t'rdy2)", 
(BBTA_RULB o ( REWRITE RULE [ STABLB_TRUE_THBN_FALSB ; bs ig ; BSel ] ) ) ) 
THEN POP_ASSUM_LIST ( MAP_E VERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPBC_ASSUM_TAC 

("It. (t'rdyl +1) <- t A t < t'rdy2 ==> SND(l_srdy_E(e' t))", 
"t'-l") 

THEN IMP_RES_TAC (RBWRITE_RULE [PRE_SUB1] LT_IMP_LB_PRE ) 

THEN SUBSOAL_THBN "1 <= t ' " ASSUMB_TAC 
THENL [ 

Si Subgoal 3. 2. It "1 <» t'" Si 
IMP_RES_TAC (RIMP ONE_LESS_EQ) 

THEN ASSUME_TAC (SPECL ["ti ' t timoC"; "1"] LESS_EQ_ADD) 

THEN RBWRITE_ASSUM_TAC 
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( "NTH_TIME_FALSB l(bsig I_srdy_B e')(ti' + l)t'rdyl", 

[nurn_CONV "1" j NTH_TIME_FALSE ; STABLB_TRUE_THEN_FALSB ] ) 

THEM POP_ASSUM_LIST 
(MAP_EVERY 

( \thm. STRIP_ASSUME_TAC ( REWRITE_RULE [ ADD1 ; ADD_CLAUSES ] thm))) 
THEN ASSUMB_TAC (SPKCL \“f ' l timeC"; "1"] LESS_EQ_ADD ) 

THEN AS S UME_TAC (SPECL ("t 'rdyl : timeC" j "1") LBSS_BQ_AED) 

THEN XMP_RES_TAC LT_IMP_LE 
THEN IMP_RES_TAC LBSS_EQ_TRANS 
THEN XMP_RES_TAC LBSS_EQ_TRANS 
I 

% Subgoal 3.2.2: (Continue) % 

IMP_RES_TAC ( RBWRITE_RULE [PRB_SDB1] LB_IMP_PRE_LT) 

THEN RBS_TAC 

THEN ASM_RBWRITE_TAC [ ) 

] 

] 

) 

) ; ; 

let OFFSBT_P_SIZE_STABLB_FROM_T'RDY1_TO_T'RDY2 = TAC_PROOF 

(([], 

"1 (u' : timeC) 

(pti iPTI) (e >timeT->pt_etate) (e ttimeT->pt_env) (p itimeT->pt_out) 

(t itimeT) (s' <timeC->po_state) (e' t timeC ->pc_env) (p' ttimeC->pc_out) 
(tp' ti' t'rdyl t'rdy2 ttimeC) . 

(Standard_Assumps pti s opt s' e' p' tp' ti' /\ 

NTH_TIMB_FALSE l(bsig I_srdy_B e')(ti' + ljt'rdyl /\ 

STABLB_TRUE_THBN_FAIjSB (bsig I_srdy_E e') ( t 'rdyl+1, t 'rdy2 ) /\ 

VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( e ' tp ' ) ) ) (1,0)) > 1 A 
( (t'rdyl +u' +2) <« t'rdy2+l)) 

(P_sizeS (s' ( t ' rdyl+u ' +2 ) ) = 

DECN 1 (DECN 1 (SUBARRAY ( SND <L_ad_inE ( e ' tp'))) (1,0))))"), 

INDUCT_TAC 

THEN REWRITE_TAC [ ADD1 ; ADD_CLAOSES ; ADD_ASSOC | S YM_RULE (REDUCE_CONV "1+1")] 
THEN REPEAT STRIP_TAC 

THEN IMP_RBS_TAC EXPAND_STANDARD_ASSUMPS 
THEN IMP_RES_TAC SACK_SIO_FALSE_DURINO_DATA_l_2 

THEN IMP_RES_TAC P_LOAD_TRUB_THBN_STABLE_FALSE_FROM_TP ' _TO_T ' SACK 
THEN IMP_RBS_TAC P_DOWN_TRUB_THBN_STABLE_FALSB_FROM_T ' RDYl_TO_T ' RDY2 
THEN ASSUME_TAC (REWRITE_RULE [] (REDUCE_CONV "0-el") ) 

THEN IMP_RES_TAC PRIOR_FALSE_EVBNTS_EXIST 

THEN ASSUMB_TAC ( REWRITB_RULB [] (REDUCE_CONV "1>0") ) 

THEN IMP_RBS_TAC OREATER_TRANS 
THENL [ 

% Subgoal li (Base Case) % 

XMP_RES_TAC P_size_ISO 
THEN ONCB_ASM_REWRITB_TAC [ ] 

THEN POP_ASSUM (\thm. ALL_TAC) %KBBP% 

THEN SUBOOAL_THEN 

"tp' < t'rdyl /\ (t 'rdyl+1) <=■ t'rdy2" STRIP_ASSUME_TAC 

THENL [ 

% Subgoal l.lt (New Subgoal) % 

IMP_RBS_TAC NTH_TRANS_CAUSAL 

THEN ASSUME_TAC (SPEC "ti'itimeC" (REWRITE_RULE [ADD1] LESS_SUC_RBFL) ) 
THEN RBWRITE_ASSUM_TAC 

( "NTH_TIME_FALSE l(bsig I_srdy_E e')(ti' + Dt'rdyl", 

[num_CONV "1" ; NTH_TXME_FALSE ) STABLE_TRUE_THEN_FALSE ] ) 

THEN REWRITE _ASSUM_TAC 

( "STABLE_TRUE_THEN_FALSE ( bs ig I_s rdy_E e ' ) ( t ' rdyl + 1 , t ' rdy2 ) " , 

[ STABLE_TRUE_THEN_FALSB ] ) 

THEN POP_ASSUM_LIST 
( MAP _B VERY 

(Nthm. STRIP_ASSUME_TAC (REWRITE_RULE [ ADD1 ; ADD_CLAUSBS ] thm))) 
THEN ASSUME_TAC (SPECL ("t' ' : timeC") "1"] LESS_EQ_ADD) 

THEN IMP_RBS_TAC LESS_EQ_TRANS 
THEN IMP_RES_TAC LESS_BQ_LESS_TRANS 
THEN IMP_RES_TAC LBSS_LESS_BQ_TRANS 
THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN IMPURE S_T AC LT_IMP_LE 
THEN ASM_REWRITB_TAC [ ] 
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% Subgoal 1.2 i (Continue) % 

ASSUMB_TAC (SPECL [ "t ' rdyl 1 1 imeC" ; "1" ] LBSS_BQ_ADD ) 

THEM 1MP_RBS_TAC LBSS_LBSS_BQ_TRANS 
THEN IMP_RES_TAC LESS_EQ_TRANS 
THEN NRULE_ASSUM_TAC 

( "TRUB_THEN_STABLE_FALSB ( \u ' . P_loadS (s' u ' ) ) ( tp ' , t ' rdy2 ) " , 
(BETA_RULE o ( REWRITB_RULE t TRUE_THEN_STABLB_FAI.SE ] ) ) ) 

THEN NRULE_ASSUM_TAC 

( "TRUB_THBN_STABLE_FALSB ( \u ' . P_downS (s' u ' ) ) ( t ' rdyl +1 , t ' rdy2 ) * , 
(BETA_RULE o (REWRITB_RULE (TRUE_THBN_STABLE_FALSE) ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUMB_TAC thm)) 

THEN SPBC_ASSUM_TAC 

("It. tp' < t /\ t <• t'rdy2 ~P_loadS(s' t) ", "t'rdyl+1") 

THEN RES_TAC 

THEN ASM_REWRITE_TAC [ ] 

THEN NRULB_ASSUM_TAC 

( "NTH_TIMB_FALSB 1 (bsig I_srdy_E e')(ti' + l)t'rdyl", 
(PURE_ONCE_RBWRITE_RULE [num_CONV "1"])) 

THEN NRULB_ASSUM_TAC 

("NTH_TIME_FALSB (SUC 0) (bsig I_srdy_B e')(ti'+(SUC 0))t'rdyl", 
<PURE_ONCE_RBWRITB_RULE [NTH_TIME_FAI.SE] ) ) 

THEN CHOOSB_ASSUM_TAC 

"?t. NTH_TXME_FALSE 0 (bsig I_srdy_E e')(ti' + (SUC 0) ) t /\ 
STABUS_TRUB_THEN_FAI.SE (bsig X_srdy_E e')(t + l.t'rdyl)" 

THEN POP_ASSUH_I.IST 
(MAP_EVBRY 

( \thm. STRIP_ASSUMB_TAC ( RBWRITK_RULB [ AUDI ; ADD_CLAUSES ] thm))) 
THEN SUBQOAL_THEN 

" ( ( t ' ' +2 ) <= t'rdyl+1) /\ ((t'rdyl+1) <= t'rdyl+1)'' 
STRIP_ASSUMB_TAC 

THENL [ 

% Subgoal 1.2.1i (New subgoal) % 

ASSUMB_TAC (SPEC "t'rdyl+1" LESS_BQ_REFL) 

THEN REWRITE_ASSUM_TAC 

( "STABLE_TRUB_THEN_FALSE (bsig I_srdy_E e')(t" + l.t'rdyl)", 

[ STABLE_TRUB_THBN_FALSB ] ) 

THEN POP_ASSUM_LIST (MAP_EVERY ( \thm. STRIP_ASSOME_TAC thm) ) 

THEN XMP_RBS_TAC 

(SPECL ["t"+l";"t'rdylitimeC";"l"] (RIMP LESS_EQ_MONO_ADD_EQ ) ) 
THEN ASM_REWRI TE_TAC [SYM_RULE (REDUCE_CONV "1+1") ;ADD_ASS0C] 

I 

% Subgoal 1.2.2t (Continue) % 

IMP_RBS_TAC (SPEC "t'rdy+1" P_S1ZE_STABLE_FR0M_T ' RDYO_TO_T ' RDY1 ) 

THEN ASM_RBNRXTB_TAC[] 

] 

] 

% Subgoal 2t (Induction Step) % 

IMP_RES_TAC P_size_ISO 
THEN ONCB_ASM_REWRITE_TAC [ ] 

THEN POP_ASSUM (\thm. ALL_TAC) %KBBP% 

THEN RULE_ASSUM_TAC 

(\thm. REWRITE_RULE [ S YM_RULB (REDCCE_CONV "1+1") ;ADD_ASS0C] thm) 
THEN ASSUME_TAC (SPECL ["(((t'rdyl + u') +1) + 1)";"1"] LESS_EOJSDD) 

THEN XMP_RBS_TAC LESS_EQ_TRANS 

THEN RBS_TAC 

THEN NRULE_ASSUM_TAC 

( "TRUB_THEN_STABLB_FALSE ( \u ' . P_loadS (s' U ' ) ) ( tp ' , t ' rdy2 ) * , 

( BETA_RULB o (REWRITB_RULE [TRUE_THEN_STABLE_FALSE] ) ) ) 

THEN NRULB_ASSUM_TAC 

( "TRUB_THEN_STABLB_FALSE ( \u ' . P_downS (s' u ' ) ) ( t ' rdyl + 1 , t ' rdy2 ) " , 
(BETA_RULE o (RBWRITE_RULE [TRUE_THEN_STABLE_FALSB] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN SPEC_ASSUM_TAC 

("It. tp' < t /\ t <= t'rdy2 ==> -P_loadS(s' t)", 

* { (t ' rdyl+u' ) +1) +1" ) 

THEN SPEC_ASSUM_TAC 

("It. (t'rdyl + 1) < t /\ t <= t'rdy2 »=> -P_downS(s' t)", 

"( (t'rdyl+u')+l)+l") 

THEN XMP_RES_TAC 
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(SPKCL [" ( ( (t 'rdyl+U' ) +1) +1) +1" J "t ' rdy2+l" ; "1"] LESS_BQ_MONO_SUB) 
THEN REWRITB_ASSUM_TAC 

("(((( (t'rdyl + u') + 1) + 1) + 1) - 1) <= ( ( t ' rdy2 + 1) - 1)", 
[ADD_SUB] ) 

THEN ASSUMB_TAC (SPBCL ("t ' rdyl ttimeC" ; "u' ttimeC" ] LBSS_EQ_ADD ) 

THEN IMP_RBS_TAC 

(RIMP (SPBCL ["t 'rdyl: timeC" ; "t 'rdyl+u' "1"] LESS_BQ_MONO_ADD_EQ) ) 
THEN ASSOME_TAC (SPEC " (t ' rdyl+u' ) +1" (REWRITE_RULB [ADD1] LESS_SUC_REFL) ) 
THEN IMP_RES_TAC LBSS_EQ_LESS_TRANS 

THEN IMP_RBS_TAC NTH_TRANS_CAUSAL 

THEN ASSUME_TAC (SPECL ("ti ': timeC"; "1"] LESS_EQ_ADD ) 

THEN NRULB_ASSUM_TAC 

( "NTH_TIME_PALSE 1 ( bs ig I_e rdy_E e')(ti' + l)t' rdyl " , 

(BETA_RULE o 

(RBWRITE_RULE [num_CONV "1"; NTH_TIME_FALSB; 

STABLE_TRUE_THEN_FALSE ] ) ) ) 

THEN POP_ASSUM_LIST 
( MAP_EVERY 

(\thm. STRIP_ASSUME_TAC ( REWRITE_ROLE [AUDI ; ADD_CLAUSES ] thm) ) ) 
THEN ASSUMB_TAC (SPEC "t": timeC" (RBVmiTB_RULB [ADD1] LESS_SUC_REFL) ) 

THEN ASSUME_TAC (SPBCL ("t ' rdyl : timeC" ; "1"] LB S S_BQ_ADD ) 

THEN IMP_RES_TAC LESS_BQ_TRANS 
THEN IMP_RBS_TAC LESS_EQ_LESS_TRANS 
THEN IMP_RES_TAC LBSS_LESS_EQ_TRANS 
THEN IMP_RBS_TAC LBSS_TRANS 
THEN RKS_TAC 
THEN ASM_REWRITB_TAC ( ] 

] 

)11 

let P_SIZB_STABLB_FROM_T'RDYl_TO_T'RDY2 « TAC_PROOF 

(([], 

" ! (t' : timeC) 

(pti : PTI) (e :timeT->pt_8tate) (e : timeT->pt_env) (p ttimeT->pt_out) 

(t itimeT) («' : timeC->pc_atate) (e' : timeC ->pc_env) (p' :timeC->pc_out) 
(tp' ti' t'rdyl t ' rdy2 ttimeC) . 

(Staadard_A8sumps pti s e p t e' e' p' tp' ti' /\ 

NTH_TIMB_FALSE l(b»ig I_«rdy_B e')(ti' + l)t'rdyl /\ 

STABLE_TRUE_THBN_FALSE (bsig I_ordy_E e') (t ' rdyl+1, t 'rdy2 ) /\ 

VAL 1 (SOBARRAY(SND(L_ad_inB(e' tp')))(l,0)) > 1 /\ 

( (t'rdyl +2) <» t') /\ 

(t' <« t'rdy2+l)) 

==> 

(P_sizeS (o' t') * 

DECN 1 (DECN 1 (SUBARRAY ( SND ( L_ad_inE (o' tp'))) (1,0))))"), 

RBWRITE_TAC (SYM RULK (RBDUCE_CONV "1+1") ;ADD_ASS0C] 

THEN REPEAT STRIP_TAC 

THEN XMP_RBS_TAC (SPEC "t'-tp'+2" OFFSET_P_SIZE_STABLE_FROM_T ' RDY1_T0_T ' RDY2 ) 
THEN SPKCL_ASSUM_TAC 

( " ! ( t ' tp" ' ttimeC) . (t'rdyl+( (t'-(tp" '+2) )+2) ) <= (t'rdy2 + 1) ==> 
(P_sizes(s' (t'rdyl + ((t' - (tp'" + 2)) + 2))) = 

DECN KDBCN 1 (SUBARRAY (SND ( L_ad_inE ( e ' ( tp timeC) ))) (1, 0) )))" , 

("t ' ttimeC"; "t 'rdyl ttimeC"] ) 

THEN SUBQOAL_THEN 

"(t'rdyl + ( ( t ' - (t'rdyl + 2)) + 2)) = t'" 

( \thm. RULE_ASSUM_TAC ( REWRITE_RULE (thm])) 

THBNL [ 

% subgoal It -New subgoal- "t'rdyl + ((t' - (t'rdyl + 2)) + 2) = t'" % 
RBWRITB_TAC [SYM_RULE (ASS0C_SUB_SUB1) ] 

THEN SUBGOAL_THEN "2 <■ (t' - t'rdyl)" ASSUME_TAC 
THBNL [ 

% Subgoal l.lt "2 <= (t' - t'rdyl)" 

[ "((t'rdyl +1) +1) <= t'" ] % 

retjrite_tac 

(SYM_RULB (SPBCL ("2"; "t ' -t 'rdyl"; "t ' rdyl ttimeC"] 
LBSS_EQ_MONO_ADD_EQ) ] 

THEN ASSUMB_TAC (SPECL ["t 'rdyl ttimeC"; "1"] LESS_EQ_ADD) 

THEN ASSUME_TAC (SPKCL ("t 'rdyl+l"| "1"] LKSS_EQ_ADD) 

THEN IMP_RES_TAC LESS_EQ_TRANS 

THEN IMP_RES_TAC (SPBCL ("t ' t timeC"; "t ' rdyl t timeC"] SUB_ADD ) 


166 



THEN ASM_RBWRITB_TAC [ ] 

THEN PURB_ONCE_RBWRITE_TAC [ADD_SYM] 

THEN ASM_RBWRITB_TAC [SYM_RULE (REDUCB_CONV "1+1") ;ADD_ASSOC] 

; 

% Subgoal 1.2i [ "2 <= (t' - t'rdyl)" J 9s 
ASSUMB_TAC (SPEC "2" LBSS_EQ_REPL) 

THEN IMP_RBS_TAC (SPECL ["t ' -t 'rdyl"; "2"; "2") ASS0C_SUB_ADD1) 
THEN ASM_RBWRITB_TAC tSUB_EQUAL_0 ; ADD_CLAUSES] 

THEN PDRB_ONCB_RBWRITE_TAC [XDD_SYM] 

THEN AS SUME_T AC (SPECL ("t ' rdyl t timeC" ; "1") LESS_BQ_ADD) 

THEN ASSUMB_TAC (SPECL [ "t ' rdyl+1" ; "1"] LESS_EQ_ADD) 

THEN IMP_HES_TAC LESS_EQ_TRANS 

THEN IMP_EBS_TAC (SPECL ("t ' t timeC" ; "t ' rdyl i timeC" ] SDB_ADD) 

) 

; 

9s Subgoal 2 9s 
HBS_TAC 

] 

) ) J 

let DECN_DBCN_W0RDN_1_N0T_BQ = mk_thm 

( U, 

"! (x iwordn) (m n mum) . 

(VAL 1 x > n) ==> 

(n > m + 1) »=> 

~(DECN 1 (DBCN 1 x) = WORDN 1 m) " 


let I_LAST_STABLE_HI_FROM_T ' EDY1_T0_T ' RDY2 = TAC_PROOF 

(([], 

"! (pti iPTI) (s itimeT->pt_Btate) (e itimeT->pt_env) (p itimeT->pt_out) 

(t itimeT) (■' itimeC->pc_etate) (e' i timeC ->po_env) (p' i timeC ->po_out) 
(tp' ti' t'rdyl t'rdy2 t timeC) . 

(Staudard_As sumps pti s e p t s' s' p' tp' ti' /\ 

NTH_TIME_FALSE 1 (bsig I_srdy_E e') (ti'+l) t'rdyl /\ 
STABLE_TRUE_THEN_FALSE (bsig I_srdy_E e') ( t ' rdyl+1, t ' rdy2 ) /\ 

(VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( e ' tp')))(l,0)> > 2)) ==> 

STABLE_H1 (bsig l_last_0 p') (t 'rdyl+1, t 'rdy2) ") , 

REWRITE_TAC [bs ig t BSel ; STABLE_HI ] 

THEN REPEAT STRIP_TAC 

THEN IMP_RES_TAC (REWRITE_RULB [bsig/BSel] IB_RBADY_ASSCMPS) 

THBNL [ 

9s Subgoal li "(t'rdyl + 1) <= t'rdy2" 9s 
RBWRITE_ASSUM_TAC 

( "STABLB_TRUB_THEN_PALSE ( \t . SND (I_srdy_E (e ' t))) (t'rdyl + l,t'rdy2)", 
[STABLE_TRUE_THBN_FALSE ] ) 

THEN ASM_REWRITB_TAC [ ] 

; 

% Subgoal 2i 

"(\t. SND ( l_last_0 (p ' t)))t' = HI" 

[ "STABLE_TRUB_THBN_FALSB ( \t . SND (I_srdy_B (e ' t))) (t'rdyl + l,t'rdy2)" ] 
[ "(t'rdyl +1) <« t'" ] 

[ "t ' <= t'rdy2" ] % 

BETA_TAC 

THEN IMP_RBS_TAC BXPAND_STANDARD_ASSUMPS 

THEN ASSUMB_TAC ( REWRITE_RULE (] (REDUCB_CONV "2>1") ) 

THEN ASSUMB_TAC ( REWRITE_RULE [] (REDUCE_CONV "1>0") ) 

THEN IMP_RBS_TAC OREATER_TRANS 

THEN SUBOOAL_THBN "(tp'<«ti') /\ ((ti'+l) <- t'rdyl)" STRIP_ASSUME_TAC 
THBNL [ 

9s Subgoal 2. It (New subgoal) 9s 
IMP_RBS_TAC NTH_TRANS_CAUSAL 
THEN REWRITE_ASSUM_TAC 

("NTH_TIME_FALSB l(\t. SND (I_srdy_E (e ' t ) ) ) ( ti ' + l)t'rdyl", 
[nunuCONV "1 " ; NTH_TIME_FALSE ; S TABLE_TRUE_THEN_F ALSE ] ) 

THEN POP_ASSUM_LIST 
(MAP_BVERY 

(\thm. STRIP_ASSUMB_TAC ( REWRITE_RULE [ADD1; ADD_CLAUSES) thm) ) ) 
THEN ASSUMB_TAC (SPECL ["t " t timeC" ) "1"] LBSS_EQ_ADD) 

THEN IMP_RES_TAC LBSS_BQ_TRANS 
THEN ASM_REWRITB_TAC [ ] 

J 
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% Subgoal 2.2: (Continue) % 

ASSUMB_TAC (SPECL ("t 'rdyl : timeC"; "1"] LESS_EQ_ADD) 

THEN ASSOME_TAC (SPECL ["t'rdy2 itimeC"; "1"] LESS_BQ_ADD) 

THEN IMP_EBS_TAC LBSS_EQ_TRANS 
THEN IMP_RES_TAC 

(REWRITE_RULE [bsig/BSel] SACK_SIQ_FALSE_DURIN0_DATA_1_2 ) 

THEN IMP_RBS_TAC NTH_TXME_TRUE_X_IMP_X 

THEN IMP_RBS_TAC NBW_STATE_PD_FROM_TI '_TO_T' SACK_1 

THEN IMP_RES_TAC 

( REWRITE_RULE 
[bsig;BSel] 

P_DOWN_TRUE_THEN_STABLE_FALSE_FROM_T ' RDY1_T0_T ' RDY2 ) 

THEN NRULE_ASSUM_TAC 

( "TRUB_THSN_STABLE_FALSE ( \u ' . P_do*mS (s' u ' ) ) ( t ' rdyl+1 , t ' rdy2 ) " , 

(BETA_RULB O ( REWRITE_RULE [ TRUE_THEN_STABLE_FALSB ] ) ) ) 

THEN POP_ASSUM_LIST (MAP_EVERY (\thm. STRIP_ASSUME_TAC thm) ) 

THEN SPBC_ASSUM_TAC 

("It. (t'rdyl +1) < t /\ t <■ t'rdy2 »=> ~P_downS(s' t)", 

"t' itimeC") N 

THEN RBWRITE_ASSUM_TAC ( "New_State_Is_PD s ' e' t ' " , [New_State_Is_PD] ) 
THEN IMP_RBS_TAC I_laSt_ISO 
THEN ASM_RHWRITB_TAC 

[WIRE ; SYM_RULE (prove_oonstruotors_distinot pf sm_ty_Axiom) ] 
THEN POP_ASSUM (\thm. ALL_TAC ) 

THEN ASM_CASBS_TAC "(t'rdyl+1) < t 
THENL [ 

% Subgoal 2.2.1: [ "(t'rdyl + 1) < t'" 3 % 

IMP_RES_TAC ( RBWRITE_RDLE [AUDI] LT_IMP_SUC_LB ) 

THEN NROLB_ASSDM_TAC 

("((t'rdyl + 1) + 1) <= t'", 

( REDUCE_RULE o ( REWRITE_RULE [SYM_RULE ADD_ASSOC] ) ) ) 

THEN IMP_RBS_TAC 

( REWRITE_RULB [bsig;BSel] P_SIZE_STABLE_FR0M_T'RDY1_T0_T'RDY2) 
THEN RBS_TAC 

THEN ASSUME_TAC ( REWRITE_RULE [] (RBDOCE_CONV "2>0+l") ) 

THEN IMP_HBS_TAC 

(SPECL ["SUBARRAY ( SND ( L_ad_inE ( e ' (tp' itimeC) ))) (1, 0) "j 
"0 " j "2 " ] DBCN_DECN_WORDN_l_NOT_EQ ) 

THEN ASM_RBWRITB_TAC[] 

I 

% subgoal 2.2.2: [ "-(t'rdyl + 1) < t'" ] % 

SUBOOAL_THEN "t ' » t'rdyl+1" (\tbm. RBWRITE_TAC [thm]) 

THENL [ 

% Subgoal 2. 2. 2.1: (New Subgoal) % 

IMP_RBS_TAC NOT_LESS 
THEN IMP_RES_TAC LBSS_EQUAL_ANTISYM 
I 

% Subgoal 2. 2. 2. 2: (Continue) % 

AS SUHB_TAC ( RBWRITB_RULE [] (REDUCE_CONV "0<1") ) 

THEN IMP_RES_TAC PRIOR_FALSE_EVBNTS_EXIST 
THEN NRULE_ASSUM_TAC 

( "NTH_TIME_FALSB l(\t. SND(I_srdy_E (e ' t)))(ti' + l)t'rdyl", 
( PURE_ONCE_REWRITB_RULB [num_C0NV "1"] ) ) 

THEN NRULE_ASSUM_TAC 

("NTH_TIMH_FALSE (SUC 0)(\t. SND ( I_srdy_E ( e ' t))) 

(ti' + (SUC 0) )t'rdyl", 

( PURE_ONCE_REWRITE_RULE [NTH_TIME_FALSE] ) ) 

THEN POP_ASSUM_LIST 
(HAP_EVERY 

(\thm. STRIP_ASSUME_TAC 

(RBWRITE_RULE [ADD1) ADD_CLAUSES] thm))) 

THEN SUBOOAL_THEN 

" ( { t " ' +2 ) <= t'rdyl+1) /\ 

((t'rdyl +1) <* t'rdyl +1)" STRIP_ASSUME_TAC 

THENL [ 

% Subgoal 2. 2. 2. 2.1: (New subgoal) % 

ASSUME_TAC (SPEC "t'rdyl+1" LBSS_EQ_REFL ) 

THEN IMP_RBS_TAC (REWRITE_RULE [AUDI] LT_IMP_SUC_LE) 

THEN IMP_RES_TAC 

(SPECL ["t' ' +1"> "t 'rdyl itimeC"; "1"] 

(RIMP LBSS_EQ_MONO_ADD_BQ ) ) 

THEN REWRITB_ASSUM_TAC 
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("((t" + 1) + 1) <= (t'rdyl + 1)", 

* [ASSOC_ADD_ADD1;RBDUCB_CONV "1+1"]) 

THEN IMP_RBS_TAC FALSE_BVENT_TIMBS_BQUAL 
THEM PURB_ONCB_ASM_RBWRITB_TAC [ ] 

t * THEN FILTBR_ASM_RBWRITE_TAC (\tm. not (is_eq tm) ) [] 

I 

% Subgoal 2. 2. 2. 2. It (Continue) % 

IMP_RBS_TAC 

* (REWRITE_RULB [bsig;BSel] 

P_SIZE_STABLE_FROM_T ' RDY0_TO_T ' RDY1 ) 

THEN ASSUME_TAC ( REWRITE_RULE [] (REDUCE_CONV "2>1")1 
THEN IMP_RES_TAC 

( SPECL [ "SUBARRAY ( 3ND ( L_ad_inB ( e ' ( tp' t timeC) ) ) ) (1, 0) ") 
"1"; "2"] DECN_WORDN_l_NOT_EQ ) 

THEN ASM_REWRITE_TAC [] 

1 

] 

] 

] 

] 

);; 

let I_LAST_POR_BLOCK_SIZE_0 ' = TAC_PROOF 

(([]» 

"1 (s t timeT->pt_atate) (e i timeT->pt_env) (p t timeT->pt_out) 

(t ttimeT) (»' ttimeC->pc_state) (o' ttimeC->pc_env) (p' ttimeC->pc_out) 
(tp' ti' itimeC) . 

(Standard_As sumps PT_Write s opt s' e' p' tp' ti' /\ 

( SUBARRAY ( SND ( L_ad_inB ( e ' tp')))(l,0) = WORDN 1 0)) ==> 

STABLB_LO 

(bsig l_last_0 p') 

(ti' + l,(9u'. NTH_TIME_FALSB 0(bsig I_srdy_E e')(ti' + l)u'))"), 
REWRITB_TAC [STABLE_L0 ; bs tg I BSel ; NTH_TIME_FALSE ] 

THEN REPEAT STRXP_TAC 

THEN IMP_RES_TAC EXPAND_STANDARD_AS SUMPS 
THENL [ 

% Subgoal It 

"(ti' + 1) <= 

(9u'. STABLB_TRUE_THBN_FALSE ( \t . SND (I_srdy_E (e ' t) ) ) (ti' + l,u'))" % 
SUBOOAL_THBN 
"It'rdyO. 

STABLB_TRUE_THBN_FALSE ( \t . SND ( I_ardy_B ( e ' t) ) ) (ti ' +1, t 'rdyO) ==> 

( (9u' . STABLE_TRUE_THEN_FALSE ( \t . SND ( I_s r dy_E ( e ' t ) ) ) (ti '+l,u' ) ) 

» t'rdyO)" 

ASSUME_TAC 
THENL [ 

% Subgoal l.lt % 

REPEAT STRIP_TAC 
THEN SELECT_UNIQUB_TAC 
THEN ASM_REWRITE_TAC [ ] 

THEN REPEAT STRIPJTAC 

THEN IMP_RES_TAC STABLB_TRUE_THBN_FALSB_UNIQUE 

) 

% Subgoal 1 . 2 t % 

IMP_RES_TAC ( REWRITE_RULE [bsigjBSel] IB_RBADY_ASSUMPS ) 

THEN RES_TAC 

THEN RBWRITE_ASSUM_TAC 

("STABLE_TRUB_THEN_FALSB(\t. SND(I_srdy_E (o' t ) ) > (ti ' + l,u')", 
[STABLB_TRUK_THBN_FALSB] ) 

THEN ASM_REWRITB_TAC [ ] 


% Subgoal 2 1 

"(\t. SND ( l_last_0 (p ' t)))t' > LO" 

[ "(ti' + 1) <■ t'" ] 

f "t' <= (9u ' . NTH_TIME_FALSB 0 ( \t . SND ( I_S rdy_E ( e ' t ) ) ) ( t i ' + l)u')" ] % 

BETA_TAC 

THEN SUB80AL_THBN 
" ! t ' rdyO . 

NTH_TIMB_FALSB 0 (\t. SND(I_srdy_B (e ' t))) (ti' + 1) t'rdyO ==> 

( (9u' . NTH_TIME_FALSB 0 (\t. SND ( X_srdy_B (e ' t) ) ) (ti' + l)u') = t'rdyO)" ASSUMB_TAC 

THENL [ 
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% Subgoal 2 . 1 t % 

REPEAT STRXP_TAC 
THEM SBLECT_ONIQOE_TAC 
THEN ASM_RBWRITB_TAC [ ] 

THEN REPEAT STRIP_TAC 

THEN XMP_RBS_TAC FALSE_EVENT_TIMES_BQUAL 

; 

% Subgoal 2 . 2 1 
"SND(I_last_0(p' t ' ) ) = LO" 

[ "(ti' + 1) <= t'" ] 

[ "t' <= (®u ' . NTH_TIME_FALSE 0 ( \t . SND (I_srdy_B (o ' t) ) )-<ti'+l)u' ) " ] 
[ "Jt'rdyO. 

NTH_TIME_FALSB 0(\t. SND ( I_Srdy_B (e ' t)))(ti' + Dt'rdyO ■*> 
<(®u'. NTH_TIMB_FALSE 0(\t. SND ( I_srdy_B ( e ' t)))(tl' + l)u') = 
t'rdyO)" ] % 

REWRITE_ASSUM_TAC 

("It'rdyO. NTH_TIME_FALSE 0(\t. SND (I_srdy_E (e ' t) ) ) (ti' +1) t 'rdyO ==> 
<(®u'. NTH_TIME_FALSE 0 ( \t . SND ( I_srdy_E ( e ' t)))(ti' + l)u') = 
t'rdyO)", [NTH_TIME_FALSB] ) 

THEN IMP_RES_TAC ( REWRITE_ROLE [bsigjBSel] IB_READY_ASSUMPS ) 

THEN RES_TAC 

THEN ASM_REWRITE_AS SUM_TAC 

("t' <= (®u'. STABLE_TRUE_THEN_FAIiSE ( \ t . SND (I_srdy_E (e' t ) ) ) 

(ti' + l,u'))",m 

THEN IMP_RES_TAC (REWRITE_RULE tbsig;BSel] I_LAST_FOR_BLOCK_SIZE_0 ) 

THEN NRULE_ASSUM_TAC 

<"STABLE_LO(\t. SND(I_last_0<p' t ) ) ) {ti ' + 1,U')", 

(BBTA_RULE o ( REWRITB_RULB [STABLE_LO] ) ) ) 

THEN POP_ASSOM_LIST (MAP_BVBRY STRXP_ASSUME_TAC tbm) ) 

THEN SPEC_ASSOM_TAC 

("!t. (ti' + 1) <= t /\ t <x u' ==> (SND(I_last_0(p' t)) = LO)", 
"t‘ ttimeC") 

THEN RES.TAC 

] 

) 

) tl 

let I_SRDY_FALSE_2_TXMES = TAC_PROOF 

(([], 

"! (pti iPTI) (s itimeT->pt_state) (e stimeT->pt_env) (p ! timeT->pt_out ) 

(t ttimeT) (s' itimeC->pe_state) (e' :timeC->po_env) (p' itimeC->pc_out) 
(tp' ti' :timeC) 

(Standard_Assuinps pti s e p t s' e' p' tp' ti' / \ 

VAL i ( SDBARRAY ( SND ( L_ad_inB ( a ' tp '))) (1,0)) > 0) ==> 

?t'rdyl. NTH_TXME_FALSE 1 (bsig I_srdy_E e') (ti'+l) t'rdyl"), 

REPEAT STRIP_TAC 

THBN IMP_RES_TAC EXPAND_STANDARD_ASSUMPS 
THEN IMP_RES_TAC IB_READY_ASSOMPS 
THEN SUBOOAL_THEN 

"7V'. STAB LB_TRUE_THBN_FALSE (bsig I_srdy_E e')(u' + 1,V')" ASSUME_TAC 

THBNL [ 

% Subgoal li (New Subgoal) % 

NRULE_ASSUM_TAC 

("lu'. rdy_sig_ib e' p' u' ==> 

( 7v' . STAB LE_TRDE_THBN_FALSE (bsig I_srdy_E e')(u' + l,v'))", 

(BETA_ROLE o ( REWRITE _RULE [rdy_sig_ib>BSel] ) o (SPEC "u' :timeC") ) ) 

THEN IMP_RBS_TAC I_LAST_STABLE_HI_FROM_TI ' _TO_T ' RDYO 
THEN NRULB _ASSUM_TAC 

( "STABLE_HX (bsig X_last_0 p')(ti' + l,u')", 

( BBTA_RULE o ( RBWRITE_RULB [STABLE_HX;bsig;BSel] ) ) ) 

THEN NRULE_ASSUM_TAC 

( "STABLB_TRDE_THEN_FALSE (bsig I_srdy_E e')(ti' + 1,U' ) ", 

<BETA_RULE o ( RBWRITE_RULB [STABLE_TROE_THBN_FALSE;bsig;BSel] ) ) ) 
THEN POP_ASSUM_LIST (MAP_EVERY ( \thm. STRIP_ASSDME_TAC thm) ) 

THEN SPEC_ASSOM_TAC 

("It. (ti' + 1) <« t /\ t u' ==> ( SND ( X_last_0 (p ' t) ) = HI)'', 

"u' i timeC") 

THEN ASSDME_TAC (SPEC "u'i timeC" LESS_EQ_RBFL) 

THBN RES_TAC 
THBN RBS_TAC 

THBN EXISTS_TAC "v' l timeC" 

THBN ASM_RBWRITE_TAC [ ] 
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f 1 

CHOOSB_ASSUM_TAC 

"?V'. STABLB_TRUB_THEN_FALSE (bsig I_srdy_E e')(U' + 1,V)“ 

THEN BXISTS_TAC "V itimaC" 

„ » THEN RBWRITE_TAC [num_CONV "1">NTH_TIMB_FALSB) 

THEN EXISTS_TAC "u' itimeC" 

THEN ASM_RBWRITB_TAC [ADDl J ADD_CLAUSES] 

3 

* ) 1 1 

lot I_LAST_F0R_BL0CK_SIZE_1 ' = TAC_PROOF 

(([), 

"1 (pti iPTX) (s ttimeT->pt_state) (a ttimeT->pt_env) (p :timoT->pt_out) 

(t : timoT) (s' ttimeC->pc_state) (o' ttimeC->pc_env) (p' ttimeC->pc_out) 
(tp' ti' ttimeC) . 

( Standard_Assuzrq?s pti s opt s' o' p' tp' ti' A 
(SUBARRAY (SND(L_ad_inE (o' tp')))(l,0) = WORDN 1 1)) ==> 

( ~STABLE_LO (bsig l_last_0 p') 

(ti'+l, (9u' .NTH_TIMB_FALSE 0(bsig I_srdy_B o' ) <ti'+l)u' ) ) /\ 
STABLB_HI (bsig l_last_0 p') 

(ti'+l, (9u' . NTH_TIME_FALSB 0(baig I_srdy_E o' ) (ti'+l)u' ) ) /\ 
STABLE_LO (bsig l_last_0 p') 

((9u'. NTH_TIME_FALSB 0 (bsig I_srdy_E o')(ti' + l)u')+l, 

(9u'. NTH_TIME_FALSB l(bsig I_srdy_E o')(ti' + Du’)))*'), 

REPEAT OEN_TAC 
THEN STRIP_TAC 

THEN IMP_RBS_TAC EXPAND_STANDARD_ASSOMPS 
THEN SUBQOAL_THBN 

“VAL 1 (SUBARRAY ( SND ( L_ad_inB (o' (tp' ttimeC) ))) (1, 0) ) > 0" ASSUME_TAC 

THENL [ 

% Subgoal li (New subgoal) % 

ASSUME_TAC (RBWRITB_RULE [] (REDUCE_CONV "1<=3") ) 

THEN IMP_RBS_TAC VAL_WORDN_IDENT_l 
THEN ASM_RBWRITE_TAC [ ] 

THEN REDUCE_TAC 
I 

% Subgoal 2t (Continue) % 

IMP_RES_TAC IB_READY_ASSUMPS 

THEN XMP_RBS_TAC I_IiAST_STABLB_HI_FROM_TI ' _TO_T ' RDYO 
THEN SUBOOAL_THEN 

" ( 9u ' . NTH_TIMB_FAI.SE 0(boig I_srdy_E o')(ti' + l)u') = u'" 
ASSUMB_TAC 

THENL [ 

% Subgoal 2 . 1 i (New Subgoal) % 

SBLBCT_UNIQUB_TAC 
THENL [ 

% Subgoal 2.1. It (Existence) % 

RBWRI TB_TAC [NTH_TIME_FALSB ) 

THEN ASM_REWRITE_TAC [ ] 

; 

% Subgoal 2.1.2t (Uniqueness) % 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC FALSE_BVBNT_TIMES_BQUAL 

3 

i 

% Subgoal 2.2t (Continue) % 

IMP_RES_TAC STABLE_H I_ IMP_NOT_S TABLB_LO 
THEN ASM_REWRITE_TAC [] 

THEN IMP_RES_TAC I_SRDY_FALSE_2_TIMBS 
THEN SUBOOAL_THEN 

"NTH_TIME_FALSB 0 (bsig I_srdy_E o') (ti'+l) u' /\ 
STABLB_TRUE_THBN_FALSB (bsig I_srdy_B o') (u '+1, t ' rdyl) " 
STRXP_ASSUME_TAC 

THENL t 

% Subgoal 2. 2. It (Now Subgoal) % 

RBWRITE_ASSUM_TAC 

( "NTH_TIME_FALSE l(bsig I_srdy_B e')(ti' + ljt'rdyl", 
s [nuin_CONV "1"»NTH_TIME_FALSE)) 

THEN CHOOSE_ASSUM_TAC 

"?t. STABLE_TRUB_THEN_FALSE(bsig I_srdy_E o')(ti' + (SUC 0),t)/\ 

„ STABLB_TRUE_THBN_FALSE (bsig I_srdy_E o')(t+(SUC 0),t'rdyl)" 

THEN POP_ASSUM_LIST 
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(MAP_BVBRY 

(Nthm. STRIP_ASSUME_TAC 

(REWRITB_RULE [ AUDI ; ADD_CLAUSBS ) thm) ) ) 

THBN SUBGOAL_THEN *u' = (t ' : timed " (\thm. RBWRITE_TAC [thm]) 

THBNL [ 

% Subgoal 2. 2.1. It (Naw subgoal) % 

IMP_RBS_TAC STABLB_TRUB_THEN_FALSB_UNIQUE 

> 

% Subgoal 2.2.1.2t (Continue) % 

ASM_RBWRXTB_TAC [NTH_TIMB_FALSE ] 

] 

; 

% Subgoal 2.2.2t (Continue) % 

IMP_RBS_TAC I_LAST_F0R_BL0CK_SIZB_1 
THEM SUBGOAL_THBN 

"(9u'. NTH_TIMB_FALSB l(bslg I_srdy_E e')(ti' + l)u') = t'rdyl" 
ASSUMB_TAC 
THBNL [ 

% Subgoal 2. 2. 2. It (New Subgoal) %. 

SBLECT_UNIQUB_TAC 
THBNL [ 

% Subgoal 2. 2. 2.1. It (Existence) % 

ASM_RBWRITB_TAC [ ] 

; 

% Subgoal 2.2.2.1.2t (Uniqueness) % 

REPEAT STRIP_TAC 

THBN IMP_RBS_TAC FALSB_BVBNT_TIMES_EQUAL 

] 

I 

% Subgoal 2.2.2.2t (Continue) % 

ASM_REWRITE_TAC [ ] 

] 

1 

] 

] 

)n 

let I_SRDY_FALSE_3_TIMHS * TAC_PROOF 

(([], 

"1 (pti tPTI) (s ttimeT->pt_#tate) (e ttimeT->pt_env) (p itimeT->pt_out) 

(t ttimeT) (s' itimeC->pc_state) (e' t timeC->pc_env) (p' ttimeC->pc_out) 
(tp' ti' t timeC) . 

( Standard_As sumps pti e e p t s' e' p' tp' ti' /\ 

VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( e ' tp')))(l,0)) > 1) ==> 

?t'rdy2. NTH_TXME_FALSE 2 (bsig I_srdy_E o') (ti'+l) t'rdy2"), 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC BXPAND_STANDARD_ASSUMPS 

THBN ASSUMB_TAC ( RBWRITE_RULB [] (REDUCE_CONV "1>0")) 

THBN IMP_RBS_TAC GRBATBR_TRANS 
THEN IMP_RES_TAC I_SRDY_FALSE_2_TXMBS 
THBN IMP_RBS_TAC IB_RBADY_ASSUMPS 
THEN SUBGOAL_THBN 

"?V' . STABLB_TRUE_THBN_FALSB (bsig I_srdy_E e') (t'rdyl + l,v')" 
ASSUMB_TAC 

THBNL [ 

% Subgoal It (New Subgoal) % 

NRULB^ASSUM_TAC 

("lu'. rdy_sig_ib e' p' u' ««> 

( ?V ' . STABLB_TRUB_THBN_FALSE (bsig I_srdy_B e')(u' + l,V'))" f 
(BBTA—RULB o ( REWRITB_RULB [rdy_sig_ib;BSel] ) o (SPEC "t ' rdyl t timeC") ) ) 
THBN AS S UMB_ T AC ( RBWRITE_RULB [] (RBDUCB_CONV "0<1") ) 

THBN IMP _RB S _T AC PRIOR_FALSB_BVBNTS_BXIST 
THEN NRU LB_AS S UM_T AC 

("NTH_TIMB_FALSE l(bsig I_srdy_B e')(ti' + l)t'rdyl", 

( PURB_ONCB_REWRITB_RULE [num_CONV "1"])) 

THEN NRULB_ASSUM_TAC 

( "NTH_TIME_FALSE (SUC 0) (bsig I_srdy_B e')(ti' + (SUC 0))t'rdyl", 

( PURE_ONCB_RBWRITB_RULB [NTH_TIME_FALSE] ) ) 

THBN IMP_RBS_TAC I_LAST_STABLB_HI_FROH_T ' RDYO_TO_T ' RDY1 
THBN NRULB_ASSUM_TAC 

("STABLB_HI (bsig l_last_0 p')(ti' + l,u')". 



(BETA_RULE o ( REWRITB_RULE [STABLE_HI;bsig;BSel] ) ) ) 

THEN NRULB_ASSUM_TAC 

( "STABLB_TRUE_THBN_FALSB (bsig I_srdy_B o')(ti' + 1,U') ", 

(BETA_RULE o ( RBWRITS_RULE [STABLE_TRUE_THEN_FALSE;bsigjBSel] ) ) ) 

* THEN POP_ASSUM_LIST (MAP_EVERY ( \thm. STRIP_ASSUME_TAC thm) ) 

THEN SPEC_ASSUM_TAC 

("It- (ti' + 1) <= t /\ t <= u' ==> (SND(X_last_0(p' t) ) = HI)", 

"u' ttimeC") 

i THEN ASSUMB_TAC (SPEC "\ 1 ' itimoC" LB S S_EQ_RKF L ) 

THEN RES_TAC 
THEN RES_TAC 

THEN EXISTS_TAC «v' itimoC" 

THEN ASM_REWRITE_TAC [ ] 

) 

CHOOSE_ASSOM_TAC 

*?V' . STABLE_TRHE_THEN_FALSB (bsig I_srdy_B e')(u' + 1,V')" 

THEN EXISTS_TAC "v' ttimeC" 

THEN REWRITE_TAC [num_CONV "1" ; NTH_TIME_FALSE ] 

THEN EXISTS_TAC "u' ttimeC" 

THEN A3M_REWRITE_TAC [ADDlj ADD_CLAUSES] 

] 

) ; J 

let I_LAST_POIL.BLOCK_SI2E_2 ' « mk_thm 

( U , 

"1 (pti iPTI) (b t timeT->pt_state) (e itimeT->pt_env) (p ttimeT->pt_out) 

(t itimeT) (s' ttimeC->pc_state) (e' ttimeC->pc_env) (p' ttimeC->pc_out) 

(tp' ti' ttimeC) . 

(Standard_Aa Bumps pti s e p t s' e' p' tp' ti' /\ 

( SUBARRAY ( SND ( L_ad_inB ( e ' tp')))(l,0) = WORDN 1 2)) ==> 

( -STABLE_LO (bsig l_last_0 p') 

(ti'+l, (®u< . NTH_TIME_FALSE 0(bsig I_srdy_E o' ) (ti'+l)u' ) ) /\ 

-STABLB_LO (bsig l_last_0 p') 

( ( ®u ' . NTH_TIMB_FALSB Ofbsig I_srdy_E e')(ti' + l)u') + 1, 

(9u'. NTH_TIME_FALSE l(bsig I_srdy_E e')(ti' + l)u')) /\ 

STABLE_HI (bsig l_last_0 p') 

(ti'+l, (9u' .NTH_TIMB_FALSB l(bsig I_srdy_B e' ) (ti'+l)u' ) ) A 
stablb_lo (bsig l_last_0 p') 

((®u'. NTH_TIMB_FAL3B l(bsig I_srdy_B e')(ti' + l)u')+l, 

(®U'. NTH_TIME_FALSE 2 (bsig I_srdy_B e')(ti' + l)u')))" 

)>> 

let I_LAST_FOR_BLOCK_SIZB_3 ' = mk_thm 

([], 

"1 (pti jPTI) (s :timeT->pt_state) (e :timeT->pt_env) (p itimeT->pt_out) 

(t itimeT) (s' itimeC->pc_state) (e' itimeC->po_eixv) (p' itimec->po_out) 

(tp' ti' ttimeC) . 

(Standard_Assuinps pti s e p t s ' e ' p' tp' ti' A 
( SUBARRAY ( SND ( L_ad_inB ( e ' tp')))(l,0) ■ WORDN 1 3)) =»=> 

( -STABIiE_LO (bsig l_last_0 p') 

(ti'+l, (9u'.NTH_TIMB_FALSB 0(bsig I_srdy_B e') (ti'+l)u')) /\ -STABLB_LO 

(bsig l_last _0 p') 

((®u'. NTH_TIMB_FALSE 0 (bsig I_srdy_B e')(ti' + l)u') + 1, 

(®u'. NTH_TIME_FALSE l(bsig l_srdy_E e')(ti' + l)u')) /\ 

-STABLE_LO (bsig l_last_0 p') 

((®U'. NTH_TIME_FALSE lfbsig I_srdy_E e')(ti' + l)u') + 1, 

(®U'. NTH_TIME_FALSB 2 (bsig I_srdy_E e')(ti' + l)u')) /\ 

STABLB_HI (bsig l_last_0 p') 

(ti’+l, (®U’ .NTH_TIME_FALSE 2 (bsig I_srdy_E e' ) (ti' +l)u' ) ) /\ 

STABLE_LO (bsig l_last_0 p') 

((®u'. NTH_TIMB_FALSE 2(bsig I_srdy_E e')(ti' + l)u')+l, 

(8u'. NTH_TIME_FALSB 3 (bsig I_srdy_B e')(ti' + l)u')))" 

)ll 

let SBTOP_TAC tm > 

REPEAT STRIP_TAC 

THEN IMP_RBS_TAC ABS_SET_IMP_ABS 
j THEN NROLB_ASSUM_TAC 

("!pti t. PTAbs pti s e p t s' e' p'", 

( (SPECL (tm>"t itimeT")) o (RBWRITB_RULB [PTAbs]))) 

THEN POP_ASSUM_LIST (MAP_BVERY (\thm. STRIP_ASSUME_TAC thm)) 

THEN RBS_TAC 
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THEN RES_TAC 

THEN POP_ASSUM (\thm. ALL_TAC) %KEEP% 
THEN POP _ASSOM (\thm. ALL_TAC) %KBEP% 
THEN IMP_RES_TAC NTH_IBUS_TRANS_BXISTS 
THEN IMP_RBS_TAC NTH_TIME_TROE_X_IMP_X 
THEN POP_ASSOM (\thm. ALL_TAC) %KBEP% 
THEN RES_TAC 

THEN POP_ASSUM (\thm. ALL_TAC ) %KBEP% 
THEN POP_ASSUM (\thm. ALL_TAC) %KBBP%; ; 


let lammal = TAC_PROOF 

(([], "I (x y i«) (f !*->**) . (x * y) ==> (f x = £ y) ") , 

REPEAT STRIP_TAC 
THEN ASM_REWRITB_TAC[) 

)»» 

let BS_WRITE = TAC_PROOP 

(([], 

"! (a i timeT->pt_atate) (e itimeT->pt_env) (p itimeT->pt_out) 

(a' itimeC->pc_atate) (e' itimec->pc_env) (p' itimeC->pc_out) . 
PCSet_Correct a' e' p' ■=> 

PTAbaSet a a p a' a' p' ==> 

PT_Exec PT_Write a e p t ==> 

PT_PreC PT_Write a e p t ==> 

(IB_BS_outO (PT_WriteOF (a t) (e t) ) = IB_BS_outO (p t))"), 

SETUP_TAC "PT_Write" 

THEN IMP _RB S_T AC (EXPAND_LBT_RULE IB_BS_out_ISO) 

THEN IMP_RBS_TAC ( EXPAND_LET_RULE PB_BS_in_ISO) 

THEN ASM_RBWRITB_TAC [PT_WriteOF_BXP> IB_BS_OUtO] 

THEN POP_ASSUM (\thm. ALL_TAC) 

THEN POP_ASSUM (\thm. ALL_TAC ) 

THEN SUBOOAL_THBN 

"Standar d_Aa sumps FT_Write a e p t a' a' p' tp' ti'" ASSOME_TAC 

THBNL [ 

% Subgoal 1> (New aubgoal) % 

ASM_REWRITE_TAC [Standard_AaaumpB ] 

; 

% Subgoal 2t (Continue) % 

ASSUMB_TAC 

(SPECL ["1"; "SOBARRAY ( SND ( L_ad_inB (a ' (tp' itimaC) ) ) ) (1, 0) "] MAXWORD) 

THEN IMP_RES_TAC (REWRITB_RDLE [PRE_S0B1] LT_IMP_LE_PRE ) 

THEN RULE_ASSUM_TAC REDUCB_RULB 

THEN ASSUMB TAC (SPEC "SND ( L_ad_inE ( a ' (tp' ttimeC) ) ) " SIZE_SUBARRAY_1) 

THEN IMP„RBS_TAC LHSS_EQ_3_CASES 
THBNL [ 

% Subgoal 2.1) [ "VAL 1 ( SUBARRAY ( SND ( L_ad_lnB ( a ' tp')))(l,0)) = 0" ] % 

IMP_RRS_TAC 

(ISPBCL [ "VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( a ' ( tp' i timeC) ) ) ) (1, 0) ) ") "0"> 
"WORDN 1"] lammal) 

THEN XMP_RBS_TAC WORDN_VAL_IDBNT_l 
THEN ASM_RBWRITE_ASSUM_TAC 

("WORDN 1(VAL 1 (SOBARRAY (SND (L_ad_inE (a' ( tp timeC ))))( 1 , 0 )) ) = 
WORDN 1 0", [] ) 

THEN XMP_RES_TAC I_LAST_FOR_BLOCK_SIZE_0 ' 

THEN ASM_REWRITE_TAC[] 

I 

% Subgoal 2.2) [ "VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( a ' tp')))(l,0)) = 1" ] % 

IMP_RE S_TAC 

( ISPBCL ["VAL 1 (SOBARRAY (SND (L_ad_inE (a' (tp' ttimeC) ))) (1, 0) ) "i "1"; 
"WORDN 1"] lammal) 

THEN IMP _RE S _ T AC WORDN_VAL_IDENT_l 
THEN ASM_REWRITB_ASSOM_TAC 

("WORDN 1 (VAL 1( SOBARRAY (SND (L_ad_inE (a' (tp' i timeC) ))) (1, 0 )) ) = 
WORDN 1 1", []) 

THEN IMP_RBS_TAC I_LAST_FOR_BLOCK_SIZE_l ' 

THEN ASM_RBWRITB_TAC[] 

; 

% Subgoal 2.3t [ "VAL 1 ( SOBARRAY ( SND ( L_ad_inB ( a < tp')))(l,0)) = 2" ] % 

IMP_RBS_TAC 

(ISPBCL ["VAL 1 (SOBARRAY (SND (L_ad^inB (a' (tp' : timeC) ))) (1, 0) ) "; "2"» 
"WORDN 1'] lammal) 

THEN IMP_RES_TAC WORDN_VAL_IDENT_l 
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TBBN ASM_RBWRITB_ASSOM_TAC 

("WORDN 1(VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( a ' ( tp ' : timaC) ) ) ) (1, 0) ) ) = 
WORDN 1 2", [] ) 

TBBN IMF_RSS_TAC I_LAST_FOR_BLOCK_SIZB_2 ' 

TBBN ASM_RBWRITE_TAC [ ] 

; 

% Subgoal 2.4i [ "VAL 1 ( SUBARRAY ( SND ( L_ad_inB ( e ' tp')))(l,0)) = 3" ] % 

IMP_RBS_TAC 

(ISPSCL ["VAL 1 (SUBARRAY (SND (L_ad_inE(e' ( tp ' i timeC) ) ) ) (1, 0) ) "3" j 
"WORDN 1"] 1 annual) 

TBBN XMP_RBS_TAC WORDN_VAL_IDBNT_l 
TBBN ASM_RBWRITB_ASSUM_TAC 

("WORDN 1(VAL 1 ( SUBARRAY ( SND ( L_ad_inE ( a ' (tp ' i timeC ))))( 1, 0 )) ) = 
WORDN 1 3", [] ) 

TBBN IMP_RSS_TAC I_LAST_FOR_BLOCK_SIZB_3 ' 

TBBN ASM_RBWRITB_TAC[] 

] 

] 

>)) 
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